On Sun, Jan 29, 2012 at 4:45 PM, Henning Brauer <lists-open...@bsws.de> wrote:
> * corey clingo <clinge...@gmail.com> [2012-01-29 19:47]:
>> Anyway, I'm reading the pf.conf man page, and I interpret it as saying
>> that the last matching pass/block rule determines what action is
>> taken, but the _first_ matching pass rule is what creates the state.
>> Am I interpreting this correctly?
>
> no, the last one creates state (simplified, it isn't THAT simple
> anymore, but that is still what it comes down to).
>
>> Should I be using match rules to do nat-to/rdr-to instead?
>
> should? maybe. depends. whatever is easier in your case.
> could? yes.
>
> --
> Henning Brauer, h...@bsws.de, henn...@openbsd.org
> BS Web Services, http://bsws.de, Full-Service ISP
> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
> Managed
> Henning Brauer Consulting, http://henningbrauer.com/
>
OK, thanks, that clarifies things. That being the case, I can see
where using pass or match rules could each be better in different
situations (I used pass rules for my quick migration, but may try
rewriting the ruleset later using match rules to see if it improves
clarity or intent).
As always, thanks for all the responses.
FWIW. my interpretation came from the following in the "PACKET
FILTERING" section of pf.conf(5):
"For block and pass, the last matching rule decides what action is taken;
if no rule matches the packet, the default action is to pass the packet."
and, a bit later,
"By default pf(4) filters packets statefully: the first time a packet
matches a pass rule, a state entry is created."
Kind regards,
Corey
