Skip to main content

How The Firewall Works and Rule Ordering

The Memset firewalls work by having a series of rules which are used to examine incoming packets according to one or more of their characteristics and contain an action to perform on the matched packet.

Each rule has a number and that number represents its place in the order of rules. Crucial to understanding and using the Memset firewall is that the rules are applied in order to each packet. When a packet matches a rule, that rule's action is applied and all subsequent rules are ignored.

Accordingly when a packet arrives at the firewall it is compared to rule 1. If it matches rule 1 then the action specified in that rule is applied to the packet. This will be to either allow the packet to pass on to the server or block it. It will not be matched against any further rules. However, if it does not match rule 1 then it proceeds to rule 2 and so on until it matches a rule.

All packets that do not match any rules are blocked by default.

The order of the rules is therefore extremely important to ensure that firewall does what you want it to do. Consider the following example; you have configured the firewall to allow access to all IP's on the internet on port 80 in order to view your website. However, there is one IP that is linking to images on your site without permission and you want to block them and only them.

The two rules needed to achieve this are as follows:

  • Allow access from all IP's on port 80
  • Block access from only IP

Remembering that once a packet matches a rule all other rules are ignored the following order will not work:

  1. Allow access from all IP's on port 80
  2. Block access from only IP

This order will not work because the first rule will match every incoming packet bound for port 80 and allow them access. The incoming packets from the bad IP will not get filtered because they match the first allow rule and are allowed to proceed to the server. The second block rule will not get applied.

However, this order will work:

  1. Block access from only IP
  2. Allow access from all IP's on port 80

This will work because the first rule will only match the packets from the bad IP so those and only those will get blocked. All other packets will not match rule 1 so will proceed to rule 2 which they will then match and get allowed to pass through to the server.

Rules with same level number

It is possible to give more than one firewall rule the same order number. When more than one rule has the same order number those rules are lumped together into a group. However, the order that the rules with the same number are applied within that group is random each time the firewall is reloaded.

For this reason only rules that do not have a specific order amongst themselves should be given the same order number. These could be, for example, a series of identical block rules for various IP addresses. This would enable the rules to be enabled and disabled individually but also appear in the same location within the overall firewall rule set.

Last updated 11 June 2015, 10:09 GMT