On Wed, Jan 10, 2007 at 01:10:32PM +0100, Henning Brauer wrote:
> * Joachim Schipper <[EMAIL PROTECTED]> [2007-01-10 12:12]:
> > On Wed, Jan 10, 2007 at 10:05:11AM +0100, raff wrote:
> > > Hello misc.
> > >
> > > I want to block traffic from 192.168.9.8 to 192.168.1.0/24
> > > excluding 192.168.1.6
> > > Is there any difference between:
> > >
> > > block in all
> > > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
> > > pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
> > >
> > > and
> > >
> > > block in all
> > > pass in on xl1 from 192.168.9.8 to 192.168.1.6 modulate state
> > > pass in on xl1 from 192.168.9.8 to !192.168.1.0/24 modulate state
> >
> > Yes, pf rules are evaluated from start to end, and the *last* match
> > determines what happens. (There are some exceptions, like nat, where the
> > *first* match determines this...)
> >
> > Therefore, in your seond example the second rule doesn't do anything.
>
> wrong answer (...) there is no overlap AT ALL between those rules.
> where one matches, the other never will. so order doesn't make a
> difference here.
Woopsie, missed that !. Sorry, and thanks to Henning for correcting me!
Joachim
