From owner-freebsd-current  Fri Feb  2 13:45:38 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id NAA28519
          for current-outgoing; Fri, 2 Feb 1996 13:45:38 -0800 (PST)
Received: from ibp.ibp.fr (ibp.ibp.fr [132.227.60.30])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA28500
          for <current@FreeBSD.org>; Fri, 2 Feb 1996 13:45:29 -0800 (PST)
Received: from blaise.ibp.fr (blaise.ibp.fr [132.227.60.1])
	by ibp.ibp.fr (8.6.12/jtpda-5.0) with ESMTP id WAA27222
	; Fri, 2 Feb 1996 22:45:17 +0100
Received: from (uucp@localhost)
	by blaise.ibp.fr (8.6.12/jtpda-5.0) with UUCP id WAA06098
	; Fri, 2 Feb 1996 22:44:53 +0100
Received: (from roberto@localhost) by keltia.freenix.fr (8.7.3/keltia-uucp-2.7) id WAA23947; Fri, 2 Feb 1996 22:19:54 +0100 (MET)
From: Ollivier Robert <roberto@keltia.freenix.fr>
Message-Id: <199602022119.WAA23947@keltia.freenix.fr>
Subject: Re: ip_fw ordering of rules..
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Fri, 2 Feb 1996 22:19:53 +0100 (MET)
Cc: nate@sri.MT.net, imb@scgt.oz.au, current@FreeBSD.org
In-Reply-To: <1196.823215159@critter.tfs.com> from "Poul-Henning Kamp" at "Feb 1, 96 11:52:39 pm"
X-Operating-System: FreeBSD 2.2-CURRENT ctm#1586
X-Mailer: ELM [version 2.4ME+ PL3 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@FreeBSD.org
Precedence: bulk

It seems that Poul-Henning Kamp said:
> It basically sorts so that the rule covering most addresses come first.
> 
> It doesn't look at deny/pass in that context, so if you say:

I'm coming a  little bit late on  the subject, but I  think that  we should
remove the  sorting  altogether. Sorting make the   software do things  you
don't expect (as in Poul-Henning's example).
 
In that respect, anyone using ipfw can't afford the potential risk.

> 		deny some specific port
> 		allow the rest
> 
> It will come out as:
> 		allow everything
> 		a deny rule never used.

Sorting access lists is *evil*.
-- 
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.frmug.fr.net
   FreeBSD keltia.freenix.fr 2.2-CURRENT #1: Sun Jan 14 20:23:45 MET 1996