PF blocking even if set to pass all
Erik Norgaard
norgaard at locolomo.org
Thu Dec 13 14:57:06 PST 2007
RW wrote:
> On Thu, 13 Dec 2007 21:17:09 +0100
> Erik Norgaard <norgaard at locolomo.org> wrote:
>
>
>> I think it is possible to set a default rule, which for security
>> should be block, which means that any packet that falls through your
>> rule set will be blocked.
>
> I'm not aware that there is, the FAQ suggests having
>
> block in all
> block out all
>
> at the top.
>
>> Therefore, you should have "pass quick".
>
> With PF the last rule to be hit will be used, which means the default
> is normally applied at the beginning and then overridden. You don't
> need quick to avoid dropping off the bottom of the rules, unless you
> are trying to replicate an IPFW script in PF.
You're right, I'm thinking of the feature from IP-Filter.
Cheers,
--
Erik Nørgaard
Ph: +34.666334818 http://www.locolomo.org
More information about the freebsd-questions
mailing list