Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Holger Kipp <holger.kipp () alogis com>
Date: Fri, 09 May 2003 13:00:03 +0200
Volker Tanger wrote:
I was not able to find a rationale for the BSD type of packet filter application. Where most FW/ACL implementations follow "first match", BSD usually takes "last match" (if you don't use the "quick" method).
Is there a reason why that was decided this way? Especially as I currently cannot see advantages for this behaviour, only performance disadvantages. Can someone enlighten me here?
For me it is easier to create a treelike strukture of rules using head and group and going from coarse to fine grained rules. With linear rules (first match), ordering of rules is more important, and with 20+ rules you get problems with side effects (rule 20 is never evaluated because rule 8 will fire first. you can't simply swap both rules, because then rule 15 makes trouble, etc.). IIRC you can achieve the same results with both, but is is more cumbersome for larger rulesets with first match only. The best might be to implement a larger ruleset both ways and see what you like more :-) Regards, Holger Kipp -- Holger Kipp, Dipl.-Math., Systemadministrator | alogis AG Fon: +49 (0)30 / 43 65 8 - 114 | Berliner Strasse 26 Fax: +49 (0)30 / 43 65 8 - 214 | D-13507 Berlin Tegel email: holger.kipp () alogis com | http://www.alogis.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rationale for BSD (I)PF rule order? Volker Tanger (May 08)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- Re: Rationale for BSD (I)PF rule order? Henning Brauer (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 09)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- <Possible follow-ups>
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)