1
General Discussion / Firewall rules' exact processing orders
« on: September 06, 2022, 12:52:13 am »
Hi everyone, I want to make sure I have the correct understanding of the ordering of the firewall rules.
Suppose I initiate a connection from an IP in LAN to an IP in VLAN1, are the rules checked in this order:
1. Floating rules that have direction "in" (If it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection.)
2. LAN's interface groups' rules that have direction "in" (if it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection.)
3. LAN rules that have direction "in" (if it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection. Otherwise use the last relevant rule from 1+2+3. If no relevant rule from 1+2+3, block connection.)
4. Floating rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection.)
5. VLAN1's interface groups' rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection.)
6. VLAN1 rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection. Otherwise use the last relevant rule from 4+5+6. If no relevant rule from 4+5+6, block connection.)
Is this correct? Thanks!
Suppose I initiate a connection from an IP in LAN to an IP in VLAN1, are the rules checked in this order:
1. Floating rules that have direction "in" (If it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection.)
2. LAN's interface groups' rules that have direction "in" (if it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection.)
3. LAN rules that have direction "in" (if it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection. Otherwise use the last relevant rule from 1+2+3. If no relevant rule from 1+2+3, block connection.)
4. Floating rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection.)
5. VLAN1's interface groups' rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection.)
6. VLAN1 rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection. Otherwise use the last relevant rule from 4+5+6. If no relevant rule from 4+5+6, block connection.)
Is this correct? Thanks!