[rescue] PF question - WAS::::::::::::::Re Good SOHO router for ASDL?
Andrew M Hoerter
amh at pobox.com
Wed Nov 4 18:09:19 CST 2015
On 11/4/15 18:28, Jerry Kemp wrote:
> The "quick" keyword in my rule allows my IP Filter rules list to
> function as a "top down" read rule list.
>
> I have gone thru some of the docs on the PF firewall software, and if
> there is an equivalent keyword for PF, I apparently keep missing it.
As was mentioned, 'quick' works equivalently in pf. But I think you'll
find that "last match wins" is a more idiomatic, and perhaps more
understandable, style of writing pf rulesets once you get used to it.
It's common to begin with a default block rule followed by explicit pass
rules, and that's the usual construction you'll see in the OpenBSD FAQ.
quick has its place (no point evaluating the entire ruleset for totally
invalid packets, etc), but I've been able to shorten many complex
rulesets by getting rid of it where appropriate.
Just a suggestion.
More information about the rescue
mailing list