Bug #784
closedDocumentation: Firewall: Rules: Floating rules, Interface Groups, Interfaces: in which order are these groups processed?
0%
Description
Reading "The Definitive Guide ...", online documentation and this bug tracker, none of them give me a clue,
in which order are firewall rules applied in 2.0?
First "WAN groupings", then the "WAN interface itself"?
or the other way around:
First the "WAN interface itself" and then the "WAN groupings rule"?
This is important for choosing where to implement the firewall rules: at Grouping or at Interface level.
Example with 2 rules:
Grouping: allow all for IP=1.2.3.4
WAN: deny protocol=TCP/UDP dest.port=5900
In case Grouping is processed first, then traffic from IP 1.2.3.4 could reach port 5900.
In case WAN is processed first, then traffic from IP 1.2.3.4 could NOT reach port 5900. (as that would be the first match).
My first guess is that rules are processed from left to right in the user interface, resulting in:
First: Floating Rules
Second: Interface Groupings
Third: Interfaces
Is this correct?
Adding a third hint to the bottom of the page <firewall_rules.php>, could assist users.