first match vs last match ruleset design (pf vs iptables)
I'm just starting my research into pf, but I have quite a bit of experience with Linux iptables. With iptables the ruleset is a first-match design. Upon finding a packet that matches a rule the list is exited and the packet is acted upon. From my reading with pf it appears to be the opposite.
I'm wondering if anyone can explain the idea behind this--it seems backwards to me. Or has anyone else gone through the transition between one design and the other and has any advice on how to change my way of thinking?