Floating rules, quick option and traffic shaping
-
Hi all,
I need some confirmation on the effect of the "quick" option in floating rules.
1. If ALL the rules in the floating tab have the quick option UNCHECKED, the "LAST match wins" behaviour applies. Correct?
2. If ALL the rules in the floating tab have the quick option CHECKED, the "FIRST match wins" behaviour applies. Correct?
3. What if only a few rules have the quick option checked and the rest have it unchecked? Does pfSense process the rules in the floating tab in the order it appears and when it reaches a rule with the quick option selected and the traffic matches the rule, does pfSense stop processing any further?Now, regarding the MATCH action, the current version of the pfSense book mentions that "Match rules do not work with quick selected".
What exactly does this mean? Will the quick option be ignored on a rule having the match action, or does this mean that the rule will not be acted upon in case of a match?
Can someone please clarify this?Finally, in section 12.6.5 of the current pfSense book, it is mentioned that "it is advised that you always leave quick selected" and in the same paragraph, "the only rules they would have without quick selected are traffic shaper rules".
Does this mean that I should in general ALWAYS select the QUICK option and for traffic shaping rules (i.e. where the MATCH action is selected and we specify queues), I should NOT select the QUICK option?Please clarify.
Thank you for any help.
-
Hi all,
I need some confirmation on the effect of the "quick" option in floating rules.
1. If ALL the rules in the floating tab have the quick option UNCHECKED, the "LAST match wins" behaviour applies. Correct?
2. If ALL the rules in the floating tab have the quick option CHECKED, the "FIRST match wins" behaviour applies. Correct?
3. What if only a few rules have the quick option checked and the rest have it unchecked? Does pfSense process the rules in the floating tab in the order it appears and when it reaches a rule with the quick option selected and the traffic matches the rule, does pfSense stop processing any further?All rules on interface tabs have the quick option enabled. Rule processing stops when a match is found.
Pass/Reject/Block Rules on the floating tab have quick disabled by default. Rules without quick enabled can be thought of as default behavior that can be OVERRIDDEN by later rules, but if no other rule matches the traffic, the rule without quick selected will be enforced. Note that the rules overriding this behavior might be later in the rule processing flow, like on interface tabs.
An example of this are the default deny any any rules that are applied to all interfaces. One might think that these rules are placed at the bottom of the rule set. They are, in fact, placed at the top without quick enabled. They are enforced if no subsequent rules match the traffic.
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
Now, regarding the MATCH action, the current version of the pfSense book mentions that "Match rules do not work with quick selected".
What exactly does this mean? Will the quick option be ignored on a rule having the match action, or does this mean that the rule will not be acted upon in case of a match?
Can someone please clarify this?As far as I can tell, the quick flag has no effect on Match rules. Put your least-specific Match rules at the top and your most-specific rules at the bottom.
Finally, in section 12.6.5 of the current pfSense book, it is mentioned that "it is advised that you always leave quick selected" and in the same paragraph, "the only rules they would have without quick selected are traffic shaper rules".
Does this mean that I should in general ALWAYS select the QUICK option and for traffic shaping rules (i.e. where the MATCH action is selected and we specify queues), I should NOT select the QUICK option?That could probably use a touch-up.
In most cases, Pass/Reject/Block rules make more sense with quick selected so the behavior matches the interface tabs.
"traffic shaping" rules generally means "Match" rules, so last-match wins since quick on those rules is ignored.
-
Thanks for the clarification Derelict.