Date: Sun, 26 Jun 2005 06:18:37 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Alex Zbyslaw <xfb52@dial.pipex.com> Cc: Paul Schmehl <pauls@utdallas.edu>, freebsd-questions@freebsd.org Subject: Re: firewall on FreeBSD Message-ID: <20050626031837.GB3020@gothmog.gr> In-Reply-To: <42BDEB5E.5030003@dial.pipex.com> References: <MIEPLLIBMLEEABPDBIEGMEIMHHAA.fbsd_user@a1poweruser.com> <200506241731.13651.martin@orbweavers.co.uk> <08A3A012657D73D10A220154@Paul-Schmehls-Computer.local> <20050625064224.GB4460@masterpost> <1585990126FE46C02925C321@Paul-Schmehls-Computer.local> <42BDEB5E.5030003@dial.pipex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-06-26 00:40, Alex Zbyslaw <xfb52@dial.pipex.com> wrote: > Paul Schmehl wrote: > >pf on freebsd does support the "quick" keyword. The "default" > >firewall, ipfw, does not. > > This makes no sense to me. The two firewalls work very differently. > > In pf, each rule is always processed on every packet and the last rule > matching determines the action. "quick" terminates the rule matching > and forces the "quick" rule to be, in effect, the final rule (assuming > the packet matched it). > > ipfw does not match every rule for every packet, rather is processes > down the rules until the packet matches one with a terminating action > such as "accept" or "deny". No "quick" keyword is needed. You describe very nicely the way rules are matched by two of the three different firewalls available on FreeBSD. The description, being very correct, *does* make sense. Why do you say that ``This makes no sense to you''?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050626031837.GB3020>