Rule evaluation order

  • One source of PF documentation states that rules are evaluated top to bottom but the rule that is applied is the last rule that matches.

    This seems counter-intuitive to the way we create rules - the last rule is a block any from any and that would be the last matching rule and nothing would get through!

    What is the truth/reality about how rules are evaluated/enforced?



  • @peterdh44:

    One source of PF documentation states that rules are evaluated top to bottom but the rule that is applied is the last rule that matches.

    What source?
    It works on a first match basis.

  • I thought it was in first rule match, but in the book - "The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall by Peter Hansteen" on page 11 he states that it is the last rule matched that is used.

    I just wanted some verification that the book was correct or incorrect.

    Is this a function of pfsense using the "quick" option when creating rules?



  • pfSense uses FreeBSD and not OpenBSD.

    What option do you mean with "quick option"?

  • Here's a sample of the pf tutorial at

    "pass quick inet proto { tcp, udp } to any port $udp_services keep state"

    Note the quick keyword in this rule. We have started writing rule sets which consist of several rules, and it is time to take a look at the relationships between the rules in a rule set. The rules are evaluated from top to bottom, in the sequence they are written in the configuration file. For each packet or connection evaluated by PF, the last matching rule in the rule set is the one which is applied. The quick keyword offers an escape from the ordinary sequence. When a packet matches a quick rule, the packet is treated according to the present rule. The rule processing stops without considering any further rules which might have matched the packet. Quite handy when you need a few isolated exceptions to your general rules.

    Since pfsense is based on pf, does it make a difference if it runs on FreeBSD or OpenBSD?

  • I have discovered what happens - pfsense applies the quick option to all the rules so the first that matches is applied.

    The is no option to turn this on or off that I can find.

  • Why would you need that?
    Do you plan to write your rules by hand?
    The gui is there for a reason.

    Also manually fiddling around with the config (not through the gui) is not supported and you are on your own.

  • peterdh44,
    We run multiple PF boxes at work (A Data Center) and about a dozen pair of PFSense boxes.  On similar hardware a PFSense box has similar throughput. But it has a VERY nice GUI. PF is designed to be more efficient with a Last Rule Matching ruleset.  but that is generally not an easy rule set for people to think their way through. The rule sets in the GUI for PFSense are first rule matching, But either there is little performance advantage, or the PFSense kernel mods are such that the performance is made up.
    From testing I can tell you with certainty that there is VERY little difference in performance, And the difference I do see is small enough to be non noticeable in a real world situation.

    Basically, First rule matching is a better fit in this case. So the Quick option gets used.

Log in to reply