Man for CIDR_TABLE(5) says:
" /etc/postfix/client.cidr:
# Rule order matters. Put more specific whitelist entries
# before more general blacklist entries.
192.168.1.1 OK
192.168.0.0/16 REJECT
"
I have been google-ing for information on order in a CIDR table to
help me understand exactly just what the above says.
"Rule order matters." states this is important to understand.
The point that whitelist (OK) should occur before blacklist (REJECT) is clear.
Is there any more about order that is important to understand?
It seems to me DUNNO is a sort of whitelist action so is there an
order for OK and DUNNO?
Is there any order for DISCARD and REJECT?
Are there or or there any other "more specific" issues with the
actions OK, REJECT, DISCARD, DUNNO, etc.?
I think the order of the entries should be in increasing numeric
order. Is that reasonable?
The man page example above could be stating either that an entry in
the form of a complete IP (192.168.1.1) is more specific than a CIDR
(192.168.0.0/16) address.
Is that true?
Am I safe to create a CIDR table where in it has two parts; first a
white list part and then a black list part; where each of those two
parts would first list all the exact IP and then list all the CIDR
patterns?
Or is it sufficient to have first the white list then the black list
with no further concern for the order within each part?
--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
