On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote: > ... > One good reason for last match wins is that the rules proceed from most > general to most specific. This is a normal way for humans to think, and > once you get used to it I bet you like it better. For me it makes it > easier to read, write, and maintain rules than using the first-match way > of listing all exceptions without knowing the general (or default) case.
But that's dependent on how you look at it and approach it. Isn't the general rule of thumb to allow only what you explicitly need and reject everything else? When I'm working with a Cisco IOS access-list I find its much easier to state each specific "allow routing to this port on this host" and let the final "deny any" to catch and reject the remainder. -- [EMAIL PROTECTED] "The avalanche has already started, it is too Rod Dorman late for the pebbles to vote." - Ambassador Kosh
