pf filter settings
Matthew Seaman
matthew at FreeBSD.org
Wed Feb 6 15:51:10 UTC 2019
On 06/02/2019 14:48, James B. Byrne via freebsd-questions wrote:
> What is going on? Why is the rule 'block drop in log all' have
> effect and the rule
>
> pass log quick on $int_if \
> from { self $int_if:network } \
> to { self $int_if:network }
>
> does not, despite the quick option and the fact that it occurs first.
Because pf always applies the *last* matching rule. It's the opposite
way round to ipfw(8).
In general, you want to order your pf ruleset from the most general to
the most specific. You can short-circuit searching the whole ruleset by
using the 'quick' modifier -- use this on early and more general rules
to weed out the obviously wrong traffic.
Also, read the docco on:
set skip on { $int_if }
which should achieve what you you want (assuming that you're only
logging traffic on that i/f as a debugging thing.)
Cheers,
Matthew
More information about the freebsd-questions
mailing list