From owner-freebsd-pf@FreeBSD.ORG  Thu Dec  8 11:02:40 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 569DB16A41F
	for <freebsd-pf@freebsd.org>; Thu,  8 Dec 2005 11:02:40 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C13EF43D5A
	for <freebsd-pf@freebsd.org>; Thu,  8 Dec 2005 11:02:39 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by wproxy.gmail.com with SMTP id i5so865210wra
	for <freebsd-pf@freebsd.org>; Thu, 08 Dec 2005 03:02:34 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=n6DLhOn9bObvzOkYOHjIvaznsmhSC3GvbOIQZTSqG2YD3PfSYDmXLDp4ox0UNJPfKPEt0URJyn6HXzE67elU3wlFCfu6Sw+7EOKzoCt/czJUmGL0+KfCF3UpLZ4Z7QvHp29wm9oKNZXBLi/NTGB9cTaMngiPclpOOIFb0M2i9Ls=
Received: by 10.54.135.3 with SMTP id i3mr1766228wrd;
	Thu, 08 Dec 2005 03:02:34 -0800 (PST)
Received: by 10.54.81.20 with HTTP; Thu, 8 Dec 2005 03:02:34 -0800 (PST)
Message-ID: <d4f1333a0512080302o63801f36ya46c5849469c58d0@mail.gmail.com>
Date: Thu, 8 Dec 2005 05:02:34 -0600
From: "Travis H." <solinym@gmail.com>
To: Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
In-Reply-To: <4394BA10.6050500@ide.resurscentrum.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <4394BA10.6050500@ide.resurscentrum.se>
Cc: freebsd-pf@freebsd.org
Subject: Re: PF on router v2.0
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Dec 2005 11:02:40 -0000

> pass in all
> pass out all

I think you can do that with one rule.

pass all

You can also tighten the tcp rule by specifying "flags S/SA"... the
state will take care of the rest of the packets.  This prevents
ack-scanning.

You might also consider "antispoof" rules on the interfaces, but that
is a kind of blocking, so maybe you don't want it after all.

Overall this ruleset and your needs are so simple there's not much to
suggest.  Maybe try list versus tables to see the speed difference,
but other than that...
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B