I've seen some mention that one should avoid using "quick" in complex rulesets, but I'm not sure why. I suspect there is some rule of thumb that I'm missing?
As it happens, almost all of my rules in complex setups are "quick", because first-match rules seem so much more intuitive to me. The main exception is for tagging type rules such as for NAT, shaping, etc, and the initial "block all", but pretty much every other ACL type rule is "quick". On the other hand, why is pf last-match by default? Perhaps my own intuition is contrary to pf design? Would love to hear thoughts from someone with lots of experience designing complex rulesets. For example, five or more interfaces with multiple DMZs, internal networks, Inet, transparent proxy, shaping, etc. When would you avoid using "quick" and why? -- Michael Glasgow <[email protected]>
