[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: First Matching Rule vs. Last Matching Rule



Alex X. Liu wrote:
Could anyone explain why OpenBSD Packet Filter choose the last matching
rule for each packet? Is there any benefit over choosing the first
matching rule for each packet?

My understanding is that choosing the last matching rule has only
disadvantages in comparing to choosing the first rule.

First, in terms of effectiveness, choosing the last matching rule is as
same as choosing the first rule. They are symetric in resolving conflicts
among rules.

Second, in terms of efficiency, choosing the last matching rule is worse
than choosing the first rule because for each packet, the firewall that
chooses the last matching rule needs to go through all the rules, while
the firewall that chooses the first matching rule only needs to go
through the rules from the first rule to the first matching rule.

Did I miss any advantage of choosing the last matching rule?

One obvious advantage is the ability to close up everything first and then puncture some holes that you need. I.e., you put something like ``block in all'' at the top, and then insert allow rules after that. This is (if you ask me) the way security should be approached: first make sure it is closed, then open the things you really need. I don't know if this is the rationale behind the way it works now, but it is an advantage if you ask me :)

If efficiency is really a problem (which I do not see from your email...
are you really running into it?), you can still use the keyword
``quick'' to make pf skip evaluating the rest of the rules.

I hope this (at least partially) answers your question.

kind regards,

Matthijs Bomhoff