On Thu, Feb 21, 2008 at 12:19:54PM +0100, Guido Tschakert wrote: > I wonder why pf works from top to bottom in filtering with last matching > rule wins but in adress translation from top to bottom with first > matching rule wins.
I've wondered about the difference between NAT and filter rules myself. I have no answer. > Sure, I can use "quick" on every rule in filtering to have "first > matching rule wins". > > Me thinks it would be better if both filtering and adress translation > works the same (like first rule wins), but I think there are reasons to > do it the pf way, but I don't see them. > Any enlightment for me? Don't use quick that way. If you can't stand the way PF works it would be better to use something else. Using PF as intended will let you have normal conversations, look at example rules, &c., &c. One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get used to it I bet you like it better. For me it makes it easier to read, write, and maintain rules than using the first-match way of listing all exceptions without knowing the general (or default) case. -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
