Re: Rationale for BSD (I)PF rule order?

[Holger Kipp <holger.kipp () alogis com>]

Volker Tanger wrote:

> I was not able to find a rationale for the BSD type of packet filter
> application. Where most FW/ACL implementations follow "first match", BSD
> usually takes "last match" (if you don't use the "quick" method).

> Is there a reason why that was decided this way? Especially as I
> currently cannot see advantages for this behaviour, only performance
> disadvantages. Can someone enlighten me here?

For me it is easier to create a treelike strukture of rules using head and
group and going from coarse to fine grained rules. With linear rules (first match),
ordering of rules is more important, and with 20+ rules you get problems with 
side effects (rule 20 is never evaluated because rule 8 will fire first. you
can't simply swap both rules, because then rule 15 makes trouble, etc.).
IIRC you can achieve the same results with both, but is is more cumbersome for
larger rulesets with first match only.

The best might be to implement a larger ruleset both ways and see what you
like more :-)

Regards,
Holger Kipp

-- 
Holger Kipp, Dipl.-Math., Systemadministrator  | alogis AG
Fon: +49 (0)30 / 43 65 8 - 114                 | Berliner Strasse 26
Fax: +49 (0)30 / 43 65 8 - 214                 | D-13507 Berlin Tegel
email: holger.kipp () alogis com                  | http://www.alogis.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards