* Stuart Henderson <s...@spacehopper.org> [2011-01-30 19:03]: > On 2011-01-30, Henning Brauer <lists-open...@bsws.de> wrote: > > * Jason McIntyre <j...@kerhand.co.uk> [2011-01-30 16:37]: > >> ok, so that's not so bad. in a way we're already there: pf.conf(5) notes > >> in PACKET FILTERING first: > >> > >> For block and pass, the last matching rule decides what > >> action is taken; if no rule matches the packet, the default > >> action is to pass the packet. > >> > >> and then: > >> > >> By default pf(4) filters packets statefully: the first time > >> a packet matches a pass rule, a state entry is created; > >> > >> but we do not explicitly say that if no rule matches, a packet is passed > >> effectively with "no state" applied. is that sufficiently important that > >> we should say it? > > > > I don't think so. > > > > I disagree, I think it is worth mentioning explicity - I have seen > a few people run into problems because they don't realise the implicit > rule is effectively "pass flags any no state".
hmm. ppl should not rely on the implicit pass at all. last not least we put an explicit pass rule in the default pf.conf. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
