PF, The OpenBSD Packet Filter: Building The Network You Need: BSDCan, Ottawa, June 10th 2015 | ||
---|---|---|
Prev | Next |
The new match rules do not affect pass/block status, but can apply various actions:
match in on $dmz_if tag DMZ ## [ ... ] pass out on $ext_if tagged DMZ
Note: all matching match rules are applied, ie several match log could generate several log entries for a single packet or connection
Queue assignment (but as always, last matching rule wins)
match in on $ext_if to $dmz_if:network port ssh queue ssh
Another favorite:
match in all scrub (no-df max-mss 1440)