A firewall on the Internet typically consists of hundreds or thousands of rules. Here for simplicity, this firewall example only has four rules. Although this firewall is small, it exemplifies all the following three problems. (1) Consistency Problem: It is difficult to order the rules in a firewall correctly. This difficulty mainly comes from conflicts among rules. Because rules often conflict, the order of the rules in a firewall is critical. The decision for every packet is the decision of the first rule that the packet matches. In the firewall example in Figure 2.1, rule r1 and r2 conflict since the SMTP packets from previously known malicious hosts Structured Firewall Design 11 to the mail server match both rules and the decisions of r1 and r2 are different. Because r1 is listed before r2 and the decision of rule r1 is “accept”, the SMTP packets from previously known malicious hosts are allowed to proceed to the mail server. However, such packets probably should be prohibited from reaching the mail server because they originate from malicious hosts. Therefore, rules r1 and r2 probably should be swapped.