From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 26 03:18:44 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6867816A41C
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Jun 2005 03:18:44 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C68F343D48
	for <freebsd-questions@freebsd.org>;
	Sun, 26 Jun 2005 03:18:43 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from gothmog.gr (patr530-a070.otenet.gr [212.205.215.70])
	by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with ESMTP id j5Q3Ict9009915;
	Sun, 26 Jun 2005 06:18:39 +0300
Received: from gothmog.gr (gothmog [127.0.0.1])
	by gothmog.gr (8.13.4/8.13.4) with ESMTP id j5Q3IbX8003188;
	Sun, 26 Jun 2005 06:18:37 +0300 (EEST)
	(envelope-from keramida@ceid.upatras.gr)
Received: (from giorgos@localhost)
	by gothmog.gr (8.13.4/8.13.4/Submit) id j5Q3IbR4003187;
	Sun, 26 Jun 2005 06:18:37 +0300 (EEST)
	(envelope-from keramida@ceid.upatras.gr)
Date: Sun, 26 Jun 2005 06:18:37 +0300
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Alex Zbyslaw <xfb52@dial.pipex.com>
Message-ID: <20050626031837.GB3020@gothmog.gr>
References: <MIEPLLIBMLEEABPDBIEGMEIMHHAA.fbsd_user@a1poweruser.com>
	<200506241731.13651.martin@orbweavers.co.uk>
	<08A3A012657D73D10A220154@Paul-Schmehls-Computer.local>
	<20050625064224.GB4460@masterpost>
	<1585990126FE46C02925C321@Paul-Schmehls-Computer.local>
	<42BDEB5E.5030003@dial.pipex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <42BDEB5E.5030003@dial.pipex.com>
Cc: Paul Schmehl <pauls@utdallas.edu>, freebsd-questions@freebsd.org
Subject: Re: firewall on FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2005 03:18:44 -0000

On 2005-06-26 00:40, Alex Zbyslaw <xfb52@dial.pipex.com> wrote:
> Paul Schmehl wrote:
> >pf on freebsd does support the "quick" keyword.  The "default"
> >firewall, ipfw, does not.
>
> This makes no sense to me.  The two firewalls work very differently.
>
> In pf, each rule is always processed on every packet and the last rule
> matching determines the action.  "quick" terminates the rule matching
> and forces the "quick" rule to be, in effect, the final rule (assuming
> the packet matched it).
>
> ipfw does not match every rule for every packet, rather is processes
> down the rules until the packet matches one with a terminating action
> such as "accept" or "deny".  No "quick" keyword is needed.

You describe very nicely the way rules are matched by two of the three
different firewalls available on FreeBSD.  The description, being very
correct, *does* make sense.

Why do you say that ``This makes no sense to you''?