On Sun, Jan 29, 2012 at 5:35 PM, corey clingo <clinge...@gmail.com> wrote: > On Sun, Jan 29, 2012 at 4:45 PM, Henning Brauer <lists-open...@bsws.de> wrote: >> * corey clingo <clinge...@gmail.com> [2012-01-29 19:47]: >>> Anyway, I'm reading the pf.conf man page, and I interpret it as saying >>> that the last matching pass/block rule determines what action is >>> taken, but the _first_ matching pass rule is what creates the state. >>> Am I interpreting this correctly? >> >> no, the last one creates state (simplified, it isn't THAT simple >> anymore, but that is still what it comes down to). >> >>> Should I be using match rules to do nat-to/rdr-to instead? >> >> should? maybe. depends. whatever is easier in your case. >> could? yes. >> >> -- >> Henning Brauer, h...@bsws.de, henn...@openbsd.org >> BS Web Services, http://bsws.de, Full-Service ISP >> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed >> Henning Brauer Consulting, http://henningbrauer.com/ >> > > OK, thanks, that clarifies things. That being the case, I can see > where using pass or match rules could each be better in different > situations (I used pass rules for my quick migration, but may try > rewriting the ruleset later using match rules to see if it improves > clarity or intent). > > As always, thanks for all the responses. > > FWIW. my interpretation came from the following in the "PACKET > FILTERING" section of pf.conf(5): > > "For block and pass, the last matching rule decides what action is taken; > if no rule matches the packet, the default action is to pass the packet." > > and, a bit later, > > "By default pf(4) filters packets statefully: the first time a packet > matches a pass rule, a state entry is created." > > Kind regards, > Corey
Hmm...on further reflection, I suppose the second section means that the state is created when the first _packet_ (of possibly many in a connection) matches the pass rule that ends up acting on it, rather than meaning state is created by the first _pass rule_ in the ruleset that that packet matches. Oh well, I understand it now. Thanks again.
