The consistency problem and the completeness problem cause firewall errors. An error in a firewall means that the firewall either accepts some malicious packets, which consequently creates security holes on the firewall, or discards some legitimate packets, which consequently disrupts normal businesses. Given the importance of firewalls, such errors are not acceptable. Unfortunately, it has been observed that most firewalls on the Internet are poorly designed and have many errors in their rules [Wool (2004)]. The compactness problem causes low firewall performance. In general, the smaller the number of rules that a firewall has, the faster the firewall can map a packet to the decision of the first rule the packet matches. Reducing the number of rules is especially useful for the firewalls that use TCAM (Ternary Content Addressable Memory). Such firewalls use O(n) space (where n is the number of rules) and constant time in mapping a packet to a decision. Despite the high performance of such TCAM-based firewalls, TCAM has very limited size and consumes much more power as the number of rules increases. Size limitation and power consumption are the two major issues for TCAM-based firewalls.