Hi, Friends: Could anyone explain why OpenBSD Packet Filter choose the last matching rule for each packet? Is there any benefit over choosing the first matching rule for each packet?
My understanding is that choosing the last matching rule has only disadvantages in comparing to choosing the first rule. First, in terms of effectiveness, choosing the last matching rule is as same as choosing the first rule. They are symetric in resolving conflicts among rules. Second, in terms of efficiency, choosing the last matching rule is worse than choosing the first rule because for each packet, the firewall that chooses the last matching rule needs to go through all the rules, while the firewall that chooses the first matching rule only needs to go through the rules from the first rule to the first matching rule. Did I miss any advantage of choosing the last matching rule? Thank you a lot!!! Regards, Alex Liu ------------------------------------------------------------
