On 2014-03-18, Friedrich Locke <friedrich.lo...@gmail.com> wrote: > Hi folks. > > I am studying obsd pf and saw there are no more nat rules and rdr rules the > old way.
"old" - note that this is something from nearly 5 years ago. See http://marc.info/?l=openbsd-misc&m=125181847818600&w=2 for a quick introduction. I'm sure it has been covered in some of Henning's presentations as well. > Now it is nat-to and rdr-to. What is the motivation for "match" rule ? > Time ago, the last match for a filter rule was the winner, for the nat and > rdr the first match is the winner. > > And now, what is it the policy ? > > Thanks once more. > > [] Fried The policy is as document in pf.conf(5). The ruleset is now traversed in order, changes made in match rules are "sticky" and affect rules lower down in the ruleset. More predictable, no more "oh this 'nat pass' rule which you included halfway down the ruleset actually takes effect before the 'block quick' rule right at the top"... so besides allowing for cleaner rulesets, you could say it's a security fix too.
