[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Tracy Phillips" <m0n0 dash lists at weberize dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] I am confused on rule order
 Date:  Tue, 4 Nov 2003 07:29:01 +0100 
On 04.11.2003, at 02:21, Tracy Phillips wrote:

> I am under the impression that ipf rules are were evaluated and the 
> last
> rule that matched was the one that triggered a block.

Rules were processed on a first-match basis in pb18, too, but it didn't 
really make a difference because you could only have pass rules. So the 
rule order obviously didn't matter.

> Hint: rules are evaluated on a first-match basis (i.e. the action of 
> the
> first rule to match a packet will be
> executed). This means that if you use block rules, you'll have to pay
> attention to the rule order.
> Everything that isn't explicitly passed is blocked by default.
>
> This sounds more like ipfw doesn't it?

Yeah, or ipf with the "quick" statement on each rule. I think this is a 
good thing to do. Makes things more logical and faster, too (by not 
having to evaluate all rules for each packet).

- Manuel