On 22 Aug 2004 13:40:32 -0700, [EMAIL PROTECTED] (Alex X. Liu) wrote:
>Hi, Friends:
>
>Could anyone explain why OpenBSD Packet Filter choose the last matching
>rule for each packet?
I assume its historical given its heritage.
>Is there any benefit over choosing the first
>matching rule for each packet?
Cue the inevitable religious debate.
>Did I miss any advantage of choosing the last matching rule?
First match combined with a default block policy is easy to do with pf
~~ # pfctl -sr | wc -l
41
~~ # pfctl -sr | grep -c quick
37
The 'quick' keyword is all you need.
greg
--
Es ist mein Teil - nein
Mein Teil - nein
Denn das ist mein Teil - nein
Mein Teil - nein
