On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote: > On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote: > > ... > > One good reason for last match wins is that the rules proceed from most > > general to most specific. This is a normal way for humans to think, and > > once you get used to it I bet you like it better. For me it makes it > > easier to read, write, and maintain rules than using the first-match way > > of listing all exceptions without knowing the general (or default) case. > > But that's dependent on how you look at it and approach it. > > Isn't the general rule of thumb to allow only what you explicitly need > and reject everything else? > > When I'm working with a Cisco IOS access-list I find its much easier to > state each specific "allow routing to this port on this host" and let > the final "deny any" to catch and reject the remainder.
Yes, but you have to read the entire Cisco rule set to know that. In PF... deny all allow this allow that Right away you know that the default policy is deny. Explicitly, and right up front. When looking at PF rules if the first thing isn't deny then I immediately know that (and I am also very suspicious at that point). I prefer this, personally. I also think it's a good practice, generally. I realize that other popular schemes do it the other way around and that many people are more familiar and comfortable that way. But I am glad that PF works as it does. -- Darrin Chandler | Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
