[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
My Openbsd+pf based firewall has about 90 forward filtering rules, for tcp
packets (about 30 rules), udp datagram (about 40 rules) and icmp messages
(about 20 rules). Every rule looks like: "block in proto xxx from any to yyy
port = zzz", where xxx is the protocol type.
Suppose that a transit tcp packet comes into my firewall.
The question is: pf confronts the TCP packet with all my 90 rules, or it
confronts the packet ONLY WITH those rules (about 30) written for tcp
packets ("proto tcp")?
In other words, is there a function in pf that looks up to the protocol type
of a transit packet and decides which rules to confront the packet with?