[SOLVED] Rules priorities

[remd]

Regarding Firewall rules Priorities, floating rules seem to be prioritised over Interface rules.

How about group interface rules, are those checked before or after the interface rule ?

Thx!

[vince]

Before.

Floating -> Group -> Interface

[remd]

ok, Thanks!

[remd]

Does the "quick" floating rule have any effect on this rule prioritisation ?

[franco]

Yes, non-quick floating rule will evaluate last or yield to another quick rule. All interface rules are quick by default.

[remd]

is the "quick" vs "non-quick" rule only evaluated within floating rules, or does this also mean that non-quick floating rules are evaluated after interface(quick) rules, even-though floating rules are usually evaluated before interface rules ?

Also since "quick" floating rules are not taken in consideration in the last version, I guess floating rules are evaluated in order (if patched or "quick" is disabled because of the issue) ?

lastly is the "quick" float rule supposed to come back in the next update ?

Thanks for the clarification, its very helpful as I'm currently setting up all rules..

[franco]

The general rule from pf(4) via the manual page[1]:

"For each packet processed by the packet filter, the filter rules are evaluated in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet."

... and ...

"If a   packet matches a rule which has   the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped."

Imposed on top is our floating - group - interface ordering. The underlying logic of pf(4) applies as if floating - group - interface ordering does not exist. To pf(4) it is a single set of rules of a particular ordering it needs to adhere to, but will act according to quick / non-quick.

lastly is the "quick" float rule supposed to come back in the next update ?

From the patch notes of 17.7[2]:

o A regression in floating rules in 17.7 does not honour the non-quick setting[5]. Run "opnsense-patch f25d8b" from the command line to correct this problem.

The behaviour will be restored in 17.7.1


Cheers,
Franco

[1] https://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5
[2] https://forum.opnsense.org/index.php?topic=5604.0

[remd]

"Imposed on top is our floating - group - interface ordering. The underlying logic of pf(4) applies as if floating - group - interface ordering does not exist. To pf(4) it is a single set of rules of a particular ordering it needs to adhere to, but will act according to quick / non-quick."
So if I understand this correctly, the interface rules will be taken in consideration first, since they are "quick" by default, unless the floating rule is set as "quick", which doesnt work at the moment .. ?

[franco]

Yes, quick will match before non-quick. Floating rules non-quick doesn't work on 17.7 because it writes as quick, unless you patch it.

If you have a floating quick rule it will hit before the interface rule.


Cheers,
Franco