Is rule ordering reflected in the output of /tmp/rules.debug?
-
I know the output of /tmp/rules.debug is automatically generated and therefore not guaranteed to be authoritative… however, is the rule ordering (top down) that is shown in rules.debug enforced by the system?
Asked another way - if all of my default block rules appear at the TOP of the rules.debug output, is this because the code writes them out this way, or because the system is actually enforcing those rules first? (which would break damn near everthing ;-)
-
Run
pfctl -srcompare with /tmp/rules.debug and see for yourself.
-
Default block rules at the top don't necessarily break everything. If they have a quick keyword on them, yes they do, no quick no break. Down in the guts of pf, rules are evaluated as "last match wins". If you have something like this (syntax may not be exact):
block in em0
pass in on em0 from any to httpYou're blocking everything except for traffic to port 80 (http).
if it says
block in quick em0
pass in on em0 from any to httpYou've denied everything inbound on em0. The quick keyword means "if we matched on this rule, don't look at any other rules. Just exit rule evaluation".
The command from dok shows you the order that pf will be evaluating the rules (and any expansions that have happened). There are lots of "quicks" in there, so matching traffic stops evaluating.