[rescue] PF question - WAS::::::::::::::Re Good SOHO router for ASDL?

Andrew M Hoerter amh at pobox.com
Wed Nov 4 18:09:19 CST 2015

On 11/4/15 18:28, Jerry Kemp wrote:

> The "quick" keyword in my rule allows my IP Filter rules list to
> function as a "top down" read rule list.
> I have gone thru some of the docs on the PF firewall software, and if
> there is an equivalent keyword for PF, I apparently keep missing it.

As was mentioned, 'quick' works equivalently in pf.  But I think you'll 
find that "last match wins" is a more idiomatic, and perhaps more 
understandable, style of writing pf rulesets once you get used to it. 
It's common to begin with a default block rule followed by explicit pass 
rules, and that's the usual construction you'll see in the OpenBSD FAQ.

quick has its place (no point evaluating the entire ruleset for totally 
invalid packets, etc), but I've been able to shorten many complex 
rulesets by getting rid of it where appropriate.

Just a suggestion.

