wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:rules:processing

Rule Processing

The three types of rules

On the firewall rules page, you can see three sections in which the firewall rules are grouped. This is done because of internals in which the iptables processes the packets.

Forwarding rules

Rules of the forwarding section process packets that transit the firewall. That means IPFire receives them from one network and sends them out on an other network if that is permitted by the ruleset.

                      |---------------|
|---------------|     |               |     |----------------|
| GREEN network |---->|    IPFire     |---->| ORANGE network |
|---------------|     |               |     |----------------|
                      |---------------|

Incoming connections

An other group of rules is the rules that process packets that are directed to the firewall itself. Usually these go to some service like the DNS proxy or DHCP servers that is running on the firewall.

                      |---------------|
|---------------|     |               |
| GREEN network |---->|    IPFire     |
|---------------|     |               |
                      |---------------|

Outgoing connections

Just like the incoming connection, there is a group of rules for outgoing connections. All connections that are established by IPFire itself are put into this group. These are for example downloading packages, everything the proxy accesses and so on.

                      |---------------|
                      |               |     |----------|
                      |    IPFire     |---->| Internet |
                      |               |     |----------|
                      |---------------|

Order of the rules

The rules in each group (iptables-internally: in the chains) are processed from top to bottom. The first rule that matches (where source, destination and all other settings equal with these in the packet that is currently processed) is executed and all rules after that are not evaluated any more.

You can use the arrows to re-order the rules or define a position when you create new rules.

configuration/firewall/rules/processing.txt · Last modified: 2014/01/26 20:57 by MichaelTremer