On Wed, Jan 10, 2007 at 10:05:11AM +0100, raff wrote:
> Hello misc.
>
> I want to block traffic from 192.168.9.8 to 192.168.1.0/24
> excluding 192.168.1.6
> Is there any difference between:
>
> block in all
> pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
> pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
>
> and
>
> block in all
> pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
> pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
Yes, pf rules are evaluated from start to end, and the *last* match
determines what happens. (There are some exceptions, like nat, where the
*first* match determines this...)
Therefore, in your seond example the second rule doesn't do anything.
Joachim
