8.0-RELEASE-p2 routing ipfw vs pf

T

triumdh

I have seen good performance from IPFW although have seen an impact when using stateful.
I am trying pf but have seen quite a lot of redundancy built in to pf.conf from various sources.
Is this just a lack of understanding from the compilers (or me) or is this a reliability issue with pf?

one example (and there are many others)

Code: 
block all
block return-rst  in  $logopt on $ext_if proto tcp all
block return-icmp in  $logopt on $ext_if proto udp all
block             in  $logopt on $ext_if proto icmp all
block             out $logopt on $ext_if all

Doesn't the "block all" make the next four lines redundant?
 
Here seems to be another example I have seen.

under global options
Code: 
set skip on lo0
The further down
Code: 
# trust localhost
pass in  quick on lo0 all
pass out quick on lo0 all
 
triumdh said:
I am trying pf but have seen quite a lot of redundancy built in to pf.conf from various sources.
Is this just a lack of understanding from the compilers (or me) or is this a reliability issue with pf?

one example (and there are many others)

Code: 
block all
block return-rst  in  $logopt on $ext_if proto tcp all
block return-icmp in  $logopt on $ext_if proto udp all
block             in  $logopt on $ext_if proto icmp all
block             out $logopt on $ext_if all

Doesn't the "block all" make the next four lines redundant?
Click to expand...

I'm afraid it is a lack of understanding on your part :P
When using PF, the processing of rules does not necessarily terminate with the first matching rule. That is unless it has the quick modifier applied.

So ... No, the block all does not make the next lines redundant, it merely sets the action to be taken if no further rules match that specify some other action.
 
You must log in or register to reply here.
Back
Top