Firewall Wizards mailing list archives

Re: Rationale for BSD (I)PF rule order?

From: Barney Wolff <barney () databus com>
Date: Thu, 8 May 2003 13:37:54 -0400

On Thu, May 08, 2003 at 02:59:39PM +0200, Volker Tanger wrote:


I was not able to find a rationale for the BSD type of packet filter
application. Where most FW/ACL implementations follow "first match", BSD
usually takes "last match" (if you don't use the "quick" method).

Is there a reason why that was decided this way? Especially as I
currently cannot see advantages for this behaviour, only performance
disadvantages. Can someone enlighten me here?


I can't supply a rationale for last-match, but note that ipfw is first
match, not last.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Rationale for BSD (I)PF rule order? Volker Tanger (May 08)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
  - Re: Rationale for BSD (I)PF rule order? Henning Brauer (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 09)
  - Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
    - Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
    - Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
    - Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- <Possible follow-ups>
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
  - Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
    - Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)

(Thread continues...)