Bug #784
closed
Documentation: Firewall: Rules: Floating rules, Interface Groups, Interfaces: in which order are these groups processed?
0%
Description
Reading "The Definitive Guide ...", online documentation and this bug tracker, none of them give me a clue,
in which order are firewall rules applied in 2.0?
First "WAN groupings", then the "WAN interface itself"?
or the other way around:
First the "WAN interface itself" and then the "WAN groupings rule"?
This is important for choosing where to implement the firewall rules: at Grouping or at Interface level.
Example with 2 rules:
Grouping: allow all for IP=1.2.3.4
WAN: deny protocol=TCP/UDP dest.port=5900
In case Grouping is processed first, then traffic from IP 1.2.3.4 could reach port 5900.
In case WAN is processed first, then traffic from IP 1.2.3.4 could NOT reach port 5900. (as that would be the first match).
My first guess is that rules are processed from left to right in the user interface, resulting in:
First: Floating Rules
Second: Interface Groupings
Third: Interfaces
Is this correct?
Adding a third hint to the bottom of the page <firewall_rules.php>, could assist users.
Updated by Chris Buechler over 14 years ago
- Status changed from New to Rejected
lack of documentation is not a bug. It does need to be created, but it's too complex to note in the web interface, and we're not tracking individual needs for documentation. Post your questions to the 2.0 board on the forum.
Updated by David Szpunar over 14 years ago
Check http://forum.pfsense.org/index.php/topic,27197.msg142135.html#msg142135 for some details on this question which I also had. It appears Interfaces is "before" Interface Groups per that. Beyond that I don't know. Just a link here for reference by future searchers.