Documentation: Firewall: Rules: Floating rules, Interface Groups, Interfaces: in which order are these groups processed?
Reading "The Definitive Guide ...", online documentation and this bug tracker, none of them give me a clue,
in which order are firewall rules applied in 2.0?
First "WAN groupings", then the "WAN interface itself"?
or the other way around:
First the "WAN interface itself" and then the "WAN groupings rule"?
This is important for choosing where to implement the firewall rules: at Grouping or at Interface level.
Example with 2 rules:
Grouping: allow all for IP=18.104.22.168
WAN: deny protocol=TCP/UDP dest.port=5900
In case Grouping is processed first, then traffic from IP 22.214.171.124 could reach port 5900.
In case WAN is processed first, then traffic from IP 126.96.36.199 could NOT reach port 5900. (as that would be the first match).
My first guess is that rules are processed from left to right in the user interface, resulting in:
First: Floating Rules
Second: Interface Groupings
Is this correct?
Adding a third hint to the bottom of the page <firewall_rules.php>, could assist users.
#1 Updated by Chris Buechler almost 10 years ago
- Status changed from New to Rejected
lack of documentation is not a bug. It does need to be created, but it's too complex to note in the web interface, and we're not tracking individual needs for documentation. Post your questions to the 2.0 board on the forum.
#2 Updated by David Szpunar almost 10 years ago
Check http://forum.pfsense.org/index.php/topic,27197.msg142135.html#msg142135 for some details on this question which I also had. It appears Interfaces is "before" Interface Groups per that. Beyond that I don't know. Just a link here for reference by future searchers.