Author Topic: Firewall rules' exact processing orders (Read 684 times)

efly · « **on:** September 06, 2022, 12:52:13 am »

Hi everyone, I want to make sure I have the correct understanding of the ordering of the firewall rules.

Suppose I initiate a connection from an IP in LAN to an IP in VLAN1, are the rules checked in this order:
1. Floating rules that have direction "in" (If it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection.)
2. LAN's interface groups' rules that have direction "in" (if it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection.)
3. LAN rules that have direction "in" (if it has a "Quick + Pass" rule, jump to 4. If it has a "Quick + Block/Reject", block connection. Otherwise use the last relevant rule from 1+2+3. If no relevant rule from 1+2+3, block connection.)
4. Floating rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection.)
5. VLAN1's interface groups' rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection.)
6. VLAN1 rules that have direction "out" (if it has a "Quick + Pass" rule, allow connection. If it has a "Quick + Block/Reject", block connection. Otherwise use the last relevant rule from 4+5+6. If no relevant rule from 4+5+6, block connection.)

Is this correct? Thanks!

franco · « **Reply #1 on:** September 06, 2022, 01:38:29 pm »

Documentation entry is here: https://docs.opnsense.org/manual/firewall.html?highlight=order#processing-order

Cheers,
Franco

Author Topic: Firewall rules' exact processing orders (Read 684 times)

efly

Firewall rules' exact processing orders

franco

Re: Firewall rules' exact processing orders