Project

General

Profile

Actions

Bug #784

closed

Documentation: Firewall: Rules: Floating rules, Interface Groups, Interfaces: in which order are these groups processed?

Added by Max Mustermann over 14 years ago. Updated over 9 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
08/01/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

Reading "The Definitive Guide ...", online documentation and this bug tracker, none of them give me a clue,
in which order are firewall rules applied in 2.0?

First "WAN groupings", then the "WAN interface itself"?
or the other way around:
First the "WAN interface itself" and then the "WAN groupings rule"?

This is important for choosing where to implement the firewall rules: at Grouping or at Interface level.

Example with 2 rules:
Grouping: allow all for IP=1.2.3.4
WAN: deny protocol=TCP/UDP dest.port=5900

In case Grouping is processed first, then traffic from IP 1.2.3.4 could reach port 5900.
In case WAN is processed first, then traffic from IP 1.2.3.4 could NOT reach port 5900. (as that would be the first match).

My first guess is that rules are processed from left to right in the user interface, resulting in:
First: Floating Rules
Second: Interface Groupings
Third: Interfaces

Is this correct?

Adding a third hint to the bottom of the page <firewall_rules.php>, could assist users.

Actions

Also available in: Atom PDF