schotty
October 30th, 2002, 12:20
Hey all!

I got a working firewall ruleset, but one nitpicking question. I have the rule in there to block all not explicitly allowed and to log it. Well, since my programing skills are as good as Roseanne Barr's looks -- I dont really feel like writing a script to filter out all of the net-bios broadcasts. Is there a way for me to block all of that in another rule (that I know how to do) and then block all but that in another rule that is logging?

Thanks much!

bsdjunkie
October 30th, 2002, 12:43
Remember last match wins ;) so block the netbios first, then block all log by default 8)

schotty
October 30th, 2002, 14:11
Okay ... perhaps that is a thought. For my ruleset, its first match wins -- found that out the hard way. So since the block log is last, perhaps I can put that before the netbios entry... let ya know how that went.

Thanks much!

bsdjunkie
October 30th, 2002, 14:22
From the FAQ: Packet Filter rules are processed sequentially from top to bottom;

First match wins isnt how it should be setup in your ruleset. If you were running cisco pix or checkpoint you might be ok, but pf it could be bad ;)

You may also want to block all netbios quick, then it wouldnt go on past that rule to search for another match.

schotty
October 30th, 2002, 20:21
well, flipping the order worked beautifully :P

As for the comment -- I see what you mean. Ill take a look at the actual order that pf read it in as, and see what it says. And the quick was something that I should have thought of :(