Bug #784

Documentation: Firewall: Rules: Floating rules, Interface Groups, Interfaces: in which order are these groups processed?

Added by Max Mustermann almost 10 years ago. Updated almost 5 years ago.

Web Interface
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Reading "The Definitive Guide ...", online documentation and this bug tracker, none of them give me a clue,
in which order are firewall rules applied in 2.0?

First "WAN groupings", then the "WAN interface itself"?
or the other way around:
First the "WAN interface itself" and then the "WAN groupings rule"?

This is important for choosing where to implement the firewall rules: at Grouping or at Interface level.

Example with 2 rules:
Grouping: allow all for IP=
WAN: deny protocol=TCP/UDP dest.port=5900

In case Grouping is processed first, then traffic from IP could reach port 5900.
In case WAN is processed first, then traffic from IP could NOT reach port 5900. (as that would be the first match).

My first guess is that rules are processed from left to right in the user interface, resulting in:
First: Floating Rules
Second: Interface Groupings
Third: Interfaces

Is this correct?

Adding a third hint to the bottom of the page <firewall_rules.php>, could assist users.


#1 Updated by Chris Buechler almost 10 years ago

  • Status changed from New to Rejected

lack of documentation is not a bug. It does need to be created, but it's too complex to note in the web interface, and we're not tracking individual needs for documentation. Post your questions to the 2.0 board on the forum.

#2 Updated by David Szpunar almost 10 years ago

Check,27197.msg142135.html#msg142135 for some details on this question which I also had. It appears Interfaces is "before" Interface Groups per that. Beyond that I don't know. Just a link here for reference by future searchers.

#3 Updated by Chris Buechler almost 5 years ago

  • Target version deleted (2.0)

Also available in: Atom PDF