Block All
-
I'm just curious regarding the rule sets. There doesn't seem to be that much documentation, but I'm new and possibly have missed it.
The one thing that I don't understand is that every book I have on PF (Building Firewalls with OpenBSD and PF, The Book of PF, The OpenBSD Packet Filter Book, Absolute OpenBSD) , the default policy for filtering rules is to begin them with "BLOCK ALL" [block in all, block out all]. This doesn't seem to be the case here.
I'm hardly an expert, and you all have done a great job setting up this firewall, but I guess this just sort of threw me for a loop initially.
With the "block all" rule, that necessarily means much more concise pass rules, and more rules in general, in order to pass the required traffic.
Just an observation, hardly a criticism. -
In 1.2 that's its at the end cause all the rules have quick in them.
In 1.3 the ruleset begins with a block {in, out} all and continues to faciliatate some more pf features and flexibility from the gui.