On 2010-03-03 Robert Lopez wrote: > Man for CIDR_TABLE(5) says: > > " /etc/postfix/client.cidr: > # Rule order matters. Put more specific whitelist entries > # before more general blacklist entries. > 192.168.1.1 OK > 192.168.0.0/16 REJECT > " > > I have been google-ing for information on order in a CIDR table to > help me understand exactly just what the above says. > > "Rule order matters." states this is important to understand. > > The point that whitelist (OK) should occur before blacklist (REJECT) > is clear.
You're mistaken about this. "Rule order matters" simply means that the rules are evaluated top-to-bottom and the first match wins. It doesn't matter if the action is OK, REJECT, DISCARD, or some other terminal action. Example: 192.168.1.1 OK 192.168.0.0/16 REJECT will allow 192.168.1.1, but reject everything else with an address from 192.168.0.0/16 (whitelist). 192.168.1.1 REJECT 192.168.0.0/16 OK will reject 192.168.1.1, but allow everything else with an address from 192.168.0.0/16 (blacklist). If you'd put the more general rules first, they'd match first, and your more specific rules would never be evaluated. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
