Rules error?

Is this by design?

I have 2 simple rules
LAN > ANY > ANY > ALLOW
LAN > HTTP > ANY > DENY

Simple rules. I want to allow everything out NAT, and force users to use PROXY ... so I block Port 80. Now when I put the LAN > ANY > ANY rule above the DENY one it doesn't work. But with the DENY rule above it it does work?

Usering version 3.04
Just wondering if this is by design?
Thanks
Resistance

Parents

0 Polluxxx over 23 years ago

Hi Resistance,

yes this it the way it works, the rules are inspected from top to bottom.
The first one that matches takes its action.
In your Example, LAN Any Any Accept Allows all.

kind regards
Polluxxx
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Resistance over 23 years ago in reply to Polluxxx

Just a dumb question but I know there is a any any deny rule by default... so why would you purposely deny a rule?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Resistance over 23 years ago in reply to Polluxxx

Just a dumb question but I know there is a any any deny rule by default... so why would you purposely deny a rule?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 MagicMike over 23 years ago in reply to Resistance

The idea of packet filters goes like this:

for all packets do the following

check rule number 1,
if it does match, do what it says
and forget other rules -
if it doesn't, check rule 2
and so on

(and there is additional deny all rule)

so, if you have rules

LAN > ANY > ANY > ALLOW
LAN > HTTP > ANY > DENY

and try to go from lan to http it goes thru
because it stops checking rules after 1st rule.

otherwise it first checks that it is forbidden,
and leaves it like that.

the rule deny all is 'inspected last'

- M
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel