there is no difference when u first
allow packets with option "quick -first rule match" to certain ports
and then block all unwanted..
or it is?:)

good luck:)

>
> In message
<1343.192.168.3.200.1018378614.squirrel@orav.purk.ee>,
> netbsd@purk.e e writes:
>>u have rules that allow incoming traffic to certain ports like
>>22,143...so on....the first line seems veird:) if u put it at the end
>>of rules...then u blocking all unwanted packets?:)
>>i have kinda same rules...i allow packets to
80,22,25,143,443..and
>>others including icmp are blocked...it works for me:)
>
> IPFilter uses last match insted of first match, so the first rule of
> drop all is a catch all rule that only takes affect if no other rule
> matches the packet.
>
> See:
http://www.netbsd.org/Documentation/network/nsps/config_ipf.ht
ml
>
> -Sean