Why does pf work with last matching rule wins

Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering to have first matching rule wins. Me thinks it would be better if both filtering

Re: Why does pf work with last matching rule wins

On Thu, Feb 21, 2008 at 12:19:54PM +0100, Guido Tschakert wrote: I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. I've wondered about the difference between NAT and filter rules

Re: Why does pf work with last matching rule wins

Darrin Chandler wrote: One good reason for last match wins is that the rules proceed from most general to most specific. ... I'm fairly comfortable with PF, but that way of looking at it really helps. Regards, -Lars

Re: Why does pf work with last matching rule wins

On February 21, 2008 05:19:54 am Guido Tschakert wrote: Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering to have first matching

Re: Why does pf work with last matching rule wins

On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote: ... One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get used to it I bet you like it better. For me it makes it easier to

Re: Why does pf work with last matching rule wins

On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote: On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote: ... One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get

Re: Why does pf work with last matching rule wins

On 2/21/08, Rod Dorman [EMAIL PROTECTED] wrote: Isn't the general rule of thumb to allow only what you explicitly need and reject everything else? When I'm working with a Cisco IOS access-list I find its much easier to state each specific allow routing to this port on this host and let

Re: Why does pf work with last matching rule wins

Vijay Sankar escreveu: On February 21, 2008 05:19:54 am Guido Tschakert wrote: Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering

Re: Why does pf work with last matching rule wins

On Thursday, February 21, 2008, 12:11:27, Darrin Chandler wrote: On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote: ... When I'm working with a Cisco IOS access-list I find its much easier to state each specific allow routing to this port on this host and let the final deny any

Re: Why does pf work with last matching rule wins

-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrin Chandler Sent: Friday, 22 February 2008 12:52 AM To: Guido Tschakert Cc: OpenBSD Misc Subject: Re: Why does pf work with last matching rule wins [snip] Don't use quick that way. If you can't