[SOLVED] Rules priorities

Started by remd, August 21, 2017, 11:04:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 21, 2017, 11:04:09 AM Last Edit: August 21, 2017, 06:00:48 PM by franco
Regarding Firewall rules Priorities, floating rules seem to be prioritised over Interface rules.

How about group interface rules, are those checked before or after the interface rule ?

Thx!

August 21, 2017, 11:13:23 AM #1
Before.

Floating -> Group -> Interface
August 21, 2017, 04:26:00 PM #2
ok, Thanks!
August 23, 2017, 03:30:02 PM #3
Does the "quick" floating rule have any effect on this rule prioritisation ?
August 23, 2017, 05:24:22 PM #4
Yes, non-quick floating rule will evaluate last or yield to another quick rule. All interface rules are quick by default.
August 23, 2017, 10:15:42 PM #5
is the "quick" vs "non-quick" rule only evaluated within floating rules, or does this also mean that non-quick floating rules are evaluated after interface(quick) rules, even-though floating rules are usually evaluated before interface rules ?

Also since "quick" floating rules are not taken in consideration in the last version, I guess floating rules are evaluated in order (if patched or "quick" is disabled because of the issue) ?

lastly is the "quick" float rule supposed to come back in the next update ?

Thanks for the clarification, its very helpful as I'm currently setting up all rules..



August 24, 2017, 08:15:11 AM #6
The general rule from pf(4) via the manual page[1]:

"For each packet processed by the packet filter, the filter rules are evaluated in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet."

... and ...

"If a   packet matches a rule which has   the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped."

Imposed on top is our floating - group - interface ordering. The underlying logic of pf(4) applies as if floating - group - interface ordering does not exist. To pf(4) it is a single set of rules of a particular ordering it needs to adhere to, but will act according to quick / non-quick.

Quotelastly is the "quick" float rule supposed to come back in the next update ?

From the patch notes of 17.7[2]:

Quoteo A regression in floating rules in 17.7 does not honour the non-quick setting[5]. Run "opnsense-patch f25d8b" from the command line to correct this problem.

The behaviour will be restored in 17.7.1


Cheers,
Franco

[1] https://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5
[2] https://forum.opnsense.org/index.php?topic=5604.0
August 25, 2017, 03:27:01 PM #7
"Imposed on top is our floating - group - interface ordering. The underlying logic of pf(4) applies as if floating - group - interface ordering does not exist. To pf(4) it is a single set of rules of a particular ordering it needs to adhere to, but will act according to quick / non-quick."
So if I understand this correctly, the interface rules will be taken in consideration first, since they are "quick" by default, unless the floating rule is set as "quick", which doesnt work at the moment .. ?
August 25, 2017, 03:30:18 PM #8
Yes, quick will match before non-quick. Floating rules non-quick doesn't work on 17.7 because it writes as quick, unless you patch it.

If you have a floating quick rule it will hit before the interface rule.


Cheers,
Franco
Print
Go Up Pages1
User actions