> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Darrin Chandler > Sent: Friday, 22 February 2008 12:52 AM > To: Guido Tschakert > Cc: OpenBSD Misc > Subject: Re: Why does pf work with last matching rule wins [snip]
> Don't use quick that way. If you can't stand the way PF works it would > be better to use something else. Using PF as intended will > let you have normal conversations, look at example rules, &c., &c. > One good reason for last match wins is that the rules proceed > from most general to most specific. This is a normal way for humans to > think, and once you get used to it I bet you like it better. For me it makes it > easier to read, write, and maintain rules than using the > first-match way of listing all exceptions without knowing the general (or > default) case. To be honest, I think the opposite is the case. From my point of view, reading through a rule set having to keep in mind all previous matching rules to decide the fate of a particular packet is a headache. And you have to read all of the rules not just up to the first match. But I would never ask to change the default behaviour, because I can "do it my way" with the quick keyword. Everyone is happy! OpenBSD pf rocks!
