I understand that rules are executed from top to bottom.
That is why "block" rules come after "allow" rules.
One thing is hard to grasp for me and I can't find the answer on internet or this forum (or maybe the answer is there, but I don't see it):
When I add a rule to the firewall for something to pass, let's say this simple rule:
- LAN segment pass all DNS (53).
And AFTER that:
- Specific host (but IN the LAN segment above) block DNS (53)
Will the second rule be effective? In my tests it is effective, so there's my answer. But shouldn't the rule execution STOP after the first rule (because it matched)... Am I missing something?
edit: typo
...screenshot of rule set...
... how did you check which rule worked?
Quote from: chemlud on January 21, 2019, 10:56:41 AM
...screenshot of rule set...
... how did you check which rule worked?
Oke. Yesterday I thought I had tested this thoroughly.
Did it again, to make screenshots.
Turns out I was wrong. The rule execution stops after the first 'hit'.
I don't know what happened yesterday...
Also found this (https://www.netgate.com/docs/pfsense/firewall/firewall-rule-processing-order.html) which explains it very well and applies to this.
QuoteLonger Version
More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):
Outbound NAT rules
Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
NAT rules for the Load Balancing daemon (relayd)
Rules dynamically received from RADIUS for IPsec and OpenVPN clients
Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
User-defined rules:
Rules defined on the floating tab
Rules defined on interface group tabs (Including IPsec and OpenVPN)
Rules defined on interface tabs (WAN, LAN, OPTx, etc)
Automatic VPN rules
My confusion was from the fact that a NAT rule is processed before a User Defined Rule.
Makes sense now.
Thanks for replying.
This can be closed.
Marked as solved, thanks for the feedback. :)