On February 21, 2008 05:19:54 am Guido Tschakert wrote: > Hi, > > I wonder why pf works from top to bottom in filtering with last matching > rule wins but in adress translation from top to bottom with first > matching rule wins. > > Sure, I can use "quick" on every rule in filtering to have "first > matching rule wins". > > Me thinks it would be better if both filtering and adress translation > works the same (like first rule wins), but I think there are reasons to > do it the pf way, but I don't see them. > Any enlightment for me? > > thanks guido
To me (from a layman's perspective), it seems like first match wins is more logical for NAT and last match wins seems more correct for filtering. While writing NAT rules I have not had a situation where one NAT rule negates the previous rules. Whereas with filtering rules, you could conceivably have that issue. Also, since you have to use a filter to allow NAT (assuming you are not using rdr pass) to me, the current approach makes reading a pf.conf file easier. Anyways. FWIW, that is what I thought was the reasoning behind this approach. -- Vijay Sankar, M.Eng., P.Eng. President & CEO ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
