Re: [fw-wiz] Rationale for BSD (I)PF rule order?

• Previous message: Smith Gary-GSMITH1: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
• In reply to: Barney Wolff: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Next in thread: Smith Gary-GSMITH1: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 9 May 2003 01:10:17 +0200

On Thu, May 08, 2003 at 01:37:54PM -0400, Barney Wolff wrote:
> On Thu, May 08, 2003 at 02:59:39PM +0200, Volker Tanger wrote:
> >
> > I was not able to find a rationale for the BSD type of packet filter
> > application. Where most FW/ACL implementations follow "first match", BSD
> > usually takes "last match" (if you don't use the "quick" method).
> >
> > Is there a reason why that was decided this way? Especially as I
> > currently cannot see advantages for this behaviour, only performance
> > disadvantages. Can someone enlighten me here?
>
> I can't supply a rationale for last-match, but note that ipfw is first
> match, not last.

actually, it's a matter of taste. you can play some games with lasty
match that are close to impossible, but I'd rather see it this way: pf
supports both ways, 1st match and last match ;-)

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@bsws.de - henning@openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Smith Gary-GSMITH1: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
• In reply to: Barney Wolff: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Next in thread: Smith Gary-GSMITH1: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]