Stephan A. Rickauer wrote:
> Gaby vanhegan wrote:
>
>> Yes, correct, my bad... Or perhaps this would work also:
>>
>> block out on $if_dmz keep state
>> pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp
>> keep state
>>
>> Maybe that was what I intended to write...
>
>
> Ok, I am now playing with 'fwbuilder' to see how the generated pf rules
> look like. Presumably, they won't be structured as efficiently as if one
> writes them by hand - but managing hundreds of rules manually is a
> nightmare ...
>
> Thanks so far,
>
Hello,

I think you know the following, but nevertheless its important if you
port your rules from netfilter to pf.

In netfilter nat and filter rules are checked with:
first match wins.

In pf nat rules also the first match wins

__but__

in pf filter rules the __last__ match wins.

In fact that is the one thing I don't like in pf, but to have a "first
match win" you can use the magic word quick in all your pass and block
rules. (e.g "pass in quick")

guido