From owner-freebsd-pf@FreeBSD.ORG Tue Dec 6 22:00:17 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0800106564A for ; Tue, 6 Dec 2011 22:00:17 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id 7F9828FC13 for ; Tue, 6 Dec 2011 22:00:17 +0000 (UTC) Received: by dakp5 with SMTP id p5so3533332dak.13 for ; Tue, 06 Dec 2011 14:00:17 -0800 (PST) Received: by 10.68.73.66 with SMTP id j2mr4474941pbv.3.1323207502293; Tue, 06 Dec 2011 13:38:22 -0800 (PST) MIME-Version: 1.0 Received: by 10.142.180.12 with HTTP; Tue, 6 Dec 2011 13:37:51 -0800 (PST) From: Maxim Khitrov Date: Tue, 6 Dec 2011 16:37:51 -0500 Message-ID: To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Implications of "set require-order no" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2011 22:00:17 -0000 Hello all, The "require-order" option has the following ominous warning: "There may be non-trivial and non-obvious implications to an out of order ruleset. Consider carefully before disabling the order enforcement." In OpenBSD 4.6 this directive was changed to 'no' by default, and it was taken out completely in 5.0. Can someone please clarify what are these "non-trivial and non-obvious implications" for pf 4.5 in FreeBSD 9.0? I assumed that pf always evaluates nat and rdr rules before filtering, meaning that a nat rule placed after a pass/block rule would still be executed first for outgoing packets. If so, the ordering shouldn't really matter. Is that incorrect? - Max