AlphaObeisance
Active Member
I guess I don't understand why you need the drop's for the specific IP addresses when you follow it immediately with a drop for all traffic. Aren't these rules processed sequentially?
TIA
You're not wrong. But I like to maintain explicit control over things. Listing specific IP addresses before the general rule makes it clear that traffic from those IP addresses is being explicitly denied.. Improves readability of the ruleset and makes it easier to manage.
Performance considerations. Pakcet filtering frameworks are generally pretty good; but specifying rules for specific IP addresses before the gen rule may improve performance slightly if any.
Future proofing, because if you plan to add more rules or change the behaviors in the future, having specific drops listed seperately allows for more granular adjustments without needing to rewrite or rearrange the rules.
Then again, I might just be an OCD nutjob lol