* Joachim Schipper <[EMAIL PROTECTED]> [2007-01-10 12:12]: > On Wed, Jan 10, 2007 at 10:05:11AM +0100, raff wrote: > > Hello misc. > > > > I want to block traffic from 192.168.9.8 to 192.168.1.0/24 > > excluding 192.168.1.6 > > Is there any difference between: > > > > block in all > > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state > > pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state > > > > and > > > > block in all > > pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state > > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state > > Yes, pf rules are evaluated from start to end, and the *last* match > determines what happens. (There are some exceptions, like nat, where the > *first* match determines this...) > > Therefore, in your seond example the second rule doesn't do anything.
2 wrong answers... both his examples are right and do the same thing. pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state matches packets from 192.168.9.8 to 192.168.1.6 and passes them. good. pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 passes packets from 192.168.9.8 to anywhere _except_ 192.168.1/24. there is no overlap AT ALL between those rules. where one matches, the other never will. so order doesn't make a difference here. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
