Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rationale for BSD (I)PF rule order?

From: Henning Brauer <hostmaster () bsws de>
Date: Fri, 9 May 2003 01:10:17 +0200
On Thu, May 08, 2003 at 01:37:54PM -0400, Barney Wolff wrote:

On Thu, May 08, 2003 at 02:59:39PM +0200, Volker Tanger wrote:


I was not able to find a rationale for the BSD type of packet filter
application. Where most FW/ACL implementations follow "first match", BSD
usually takes "last match" (if you don't use the "quick" method).

Is there a reason why that was decided this way? Especially as I
currently cannot see advantages for this behaviour, only performance
disadvantages. Can someone enlighten me here?


I can't supply a rationale for last-match, but note that ipfw is first
match, not last.


actually, it's a matter of taste. you can play some games with lasty 
match that are close to impossible, but I'd rather see it this way: pf 
supports both ways, 1st match and last match ;-)

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb () bsws de - henning () openbsd org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: