> Obipf: what's the general heuristic for ipf (-current) filter
> application? From my experience with it, it appears to be read from the
> bottom up. All the examples in /usr/share/examples/ipf and my own filter
> list have the default drop rules for tcp/udp/etc. near the top.

It's read from top to bottom, but last match wins.

"block" means "I am thinking about blocking this packet, but I might
change my mind later (using a subsequent "pass" rule).

"block quick" means "I have decided to block this packet, and I definitely
won't change my mind later".

--apb (Alan Barrett)