Firewall rule processing order whith multiple interface groups
-
Hi,
I have several LANs and DMZs in my network for different purposes (using VLANs to separate them).
So I created a bunch of interface groups that sometimes overlap (that is, the same interface can be in more than one interface group.
According to the documentation, interface group rules are processed before interface rules, my question is, how can I control (or at least know) in which order are group interface rules processed.
For instance, if interface LAN3 belongs to interface groups LANs_ALL and INTERNAL_ALL, how do I know if rules in INTERNAL_ALL are applied before or after LANs_ALL, or, better yet, could I control this order?
Any help is appreciated.
-
-
Hi, @viragomann, thanx for your suggestion.
I didn't answer earlier because just today I had access again to the firewall.
I did a few tests with some rules in every interface group and I could verify that interface groups are sorted alphabetically by name and rules are applied in that order.This may have a subtle (and possibly dangerous) side effect if you rename an interface group after rules in that and other groups exist:
Suppose you have group name GROUP1 with RULE1 in it, and group name GROUP2 with RULE2 in it.
Once you apply the rules, RULE1 applies before RULE2.
If later on, you rename GROUP2 and call it GROUP0 without further changes, rules stay as they are.
BUT if you later on create, modify or delete a rule (maybe unrelated to either group), once you reapply the rules, RULE2 will be applied before RULE1 (which might have security or functional consequences).
