The three types of rules
On the firewall rules page, you can see three sections in which the firewall rules are grouped.
This is done because of internals in which the iptables processes the packets.
Incoming connections
One group of rules that process packets are directed to the firewall itself. Usually these go to some service like the DNS proxy or DHCP servers that is running on the firewall.
+---------------+
+---------------+ | |
| GREEN network |---->| IPFire |
+---------------+ | |
+---------------+
Forwarding rules
Rules of the forwarding section process packets that transit the firewall. That means IPFire receives them from one network and sends them out on an other network if that is permitted by the ruleset.
+---------------+
+---------------+ | | +----------------+
| GREEN network |---->| IPFire |---->| ORANGE network |
+---------------+ | | +----------------+
+---------------+
Outgoing connections
Just like the incoming connection, there is a group of rules for outgoing connections. All connections that are established by IPFire itself are put into this group. These are for example downloading packages, everything the proxy accesses and so on.
+---------------+
| | +----------+
| IPFire |---->| Internet |
| | +----------+
+---------------+
Order of the rules
The rules of each type are processed from top to bottom (internally in the iptables chains). The first rule that matches (where source, destination and all other settings equal with these in the packet that is currently processed) is executed and all rules after that are not evaluated any more.
You can use the arrows to re-order rules of the same type or define a position when you create new rules.