Date: Tue, 6 Dec 2011 16:37:51 -0500 From: Maxim Khitrov <max@mxcrypt.com> To: freebsd-pf@freebsd.org Subject: Implications of "set require-order no" Message-ID: <CAJcQMWdKhXC7uvxt5ZKZn79Vfa9P%2B10K3K%2B1opkQPEE-xoiJOQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, The "require-order" option has the following ominous warning: "There may be non-trivial and non-obvious implications to an out of order ruleset. Consider carefully before disabling the order enforcement." In OpenBSD 4.6 this directive was changed to 'no' by default, and it was taken out completely in 5.0. Can someone please clarify what are these "non-trivial and non-obvious implications" for pf 4.5 in FreeBSD 9.0? I assumed that pf always evaluates nat and rdr rules before filtering, meaning that a nat rule placed after a pass/block rule would still be executed first for outgoing packets. If so, the ordering shouldn't really matter. Is that incorrect? - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJcQMWdKhXC7uvxt5ZKZn79Vfa9P%2B10K3K%2B1opkQPEE-xoiJOQ>