From owner-freebsd-pf@FreeBSD.ORG Fri Jan 8 10:31:23 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB4C3106566B for ; Fri, 8 Jan 2010 10:31:23 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 7A0758FC17 for ; Fri, 8 Jan 2010 10:31:23 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so1300412eye.9 for ; Fri, 08 Jan 2010 02:31:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=RuD+i/BiTI+NeAyZ++eQsXdK1xLdzIUPD1KBqJ/wwkg=; b=gVuJ+QhIFyhbYPEPzAI2WHGfV0EXi2CztnIQpa+EYRaPApFIAEGXZR2P0J1PJ7yxpu 6BqZYRcjQU4Ve4rO8WmtftAfjN1MK5ZqDv5Hcu15E5AG4N/ueqkIVu56jyct7LtduXTn BjjChjowj02tc7AuMzBygmhKlKTqLTCoxAnSA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=o3QrTdUpBga0qFQ8I8/P8w69d5jVs73QZqiNBnSj4cF+oTrydjJzvPepCKdPqgfaCU FRujYYfxrxmKsdCR+7FtuEvAIsbAge/zxtGqYphXQv9IJKc5W/Gmb3mbnPdDntkxIfLP ZwcF/7jtNSlrVBekBYn2nOiXzcc1xI8QL4j+g= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.213.24.2 with SMTP id t2mr1139970ebb.6.1262946678597; Fri, 08 Jan 2010 02:31:18 -0800 (PST) In-Reply-To: <4B46EAA2.5050904@lmpt.univ-tours.fr> References: <40fc01eb1001071427g335634c9u1ffa8aacba1360f3@mail.gmail.com> <4B46EAA2.5050904@lmpt.univ-tours.fr> Date: Fri, 8 Jan 2010 10:31:18 +0000 X-Google-Sender-Auth: 6d4d8bc61f5f1f32 Message-ID: <7731938b1001080231p75e6ee17g59c8fbacda90d983@mail.gmail.com> From: Peter Maxwell To: Olivier Thibault Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: freebsd 8 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 10:31:24 -0000 2010/1/8 Olivier Thibault : >> # keep stats of outging connections >> pass out keep state > > This rule allows everything out and next outgoing rules won't be checked as > this one first match. That's incorrect, pf does the opposite and uses the *last* match - at least that's what the documentation says... http://www.openbsd.org/faq/pf/filter.html The quick keyword is used for shortcut evaluation.