Re: [fw-wiz] Rationale for BSD (I)PF rule order?
From: Henning Brauer (hostmaster_at_bsws.de)
To: firstname.lastname@example.org Date: Fri, 9 May 2003 01:10:17 +0200
On Thu, May 08, 2003 at 01:37:54PM -0400, Barney Wolff wrote:
> On Thu, May 08, 2003 at 02:59:39PM +0200, Volker Tanger wrote:
> > I was not able to find a rationale for the BSD type of packet filter
> > application. Where most FW/ACL implementations follow "first match", BSD
> > usually takes "last match" (if you don't use the "quick" method).
> > Is there a reason why that was decided this way? Especially as I
> > currently cannot see advantages for this behaviour, only performance
> > disadvantages. Can someone enlighten me here?
> I can't supply a rationale for last-match, but note that ipfw is first
> match, not last.
actually, it's a matter of taste. you can play some games with lasty
match that are close to impossible, but I'd rather see it this way: pf
supports both ways, 1st match and last match ;-)
-- Henning Brauer, BS Web Services, http://bsws.de email@example.com - firstname.lastname@example.org Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards