Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jul 2017 12:23:33 -0400
From:      Makketron <makketronics@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Question regarding IPFW manual page description
Message-ID:  <CACAG1goAnTVn4_5u3=Ni6AuNqDjY8SfM4s8oCY5srO3-%2BLjHYQ@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hello,
According to https://www.freebsd.org/cgi/man.cgi?ipfw(8) , we have:

"Also note that each packet is always checked against the complete rule-
     set, irrespective of the place where the check occurs, or the source of
     the packet."


According to https://www.freebsd.org/doc/handbook/firewalls-ipfw.html , we
have:

When a packet enters the IPFW firewall, it is compared against the first
rule in the ruleset and progresses one rule at a time, moving from top to
bottom in sequence. When the packet matches the selection parameters of a
rule, the rule's action is executed and the search of the ruleset
terminates for that packet. ...


So in the manual pages, when it is said that packet is ALWAYS checked
against the COMPLETE ruleset, I understand that if packet matches rule A,
it will still be compared against the remaining rule sets, which raises the
question, if two rules match, which one wins.

Which is the more accurate behavior, the man page or the handbook?

Thank you



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACAG1goAnTVn4_5u3=Ni6AuNqDjY8SfM4s8oCY5srO3-%2BLjHYQ>