Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules priority and processing basics

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      makesense
      last edited by

      With regard to blocking a protocol, such as ICMP. I read in the forum where it was advised to put the "block all" rule first (above or at the top). Then I read in the documentation Firewall Rules Basics: "Firewall rules are processed from the top down, and the first match wins." So if put in a rule to block all ICMP but still want to allow a few users to use ICMP. What is the order I should put the "allow icmp for 'range or single host' " and "block all ICMP"? Who goes above who? To satisfy the documentation, It "makes sense" for me to put the allow above the block all which goes against what I'm reading in the forum.

      BTW what is the difference between block and reject?
      tnx

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Create rules to allow access to your services, what is not listed in rules will be blocked.

        deny just drop the package, reject drop and returns an error response to client.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • M
          makesense
          last edited by

          But as an Internet Provider to other users, I have to start with an allow rule. Which, BTW, is at the bottom of my rule set. But I no problem implementing a block all ICMP rule for most users to prevent DOS attacks. So right now I have an allow all rule as the last entry, and then a block all ICMP for most users above the allow all, and the allow some ICMP above the block all ICMP. Is that the order these need to be in?

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @makesense:

            Is that the order these need to be in?

            yes. :)

            Remember to reset state table(shortcut on dashboard) while testing rule combination.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.