How Firewall Filters Are Evaluated

When a firewall filter consists of a single term, the filter is evaluated as follows:

• If the packet matches all the conditions, the action in the then statement is taken.
• If the packet matches all the conditions, and if there is no action specified in the then statement, the default action accept is used.
• If the packet does not match all the conditions, it is discarded.

When a firewall filter consists of more than one term, the filter is evaluated sequentially:

• The packet is evaluated against the conditions in the from statement in the first term.
• If the packet matches, the action in the then statement is taken and, if the next term action is not used, the evaluation ends. Subsequent terms in the filter are not evaluated.
• If the packet matches, the action in the then statement is taken; if the next term action is present, the evaluation continues to the next term.
• If the packet does not match, it is evaluated against the conditions in the from statement in the second term.

This process continues until either the packet matches the from conditions in one of the subsequent terms or there are no more terms.

• If a packet passes through all the terms in the filter without matching any of them, it is discarded.

If a term does not contain a from statement, the packet is considered to match and the action in the term's then statement is taken.

If a term does not contain a then statement or if you do not configure an action in the then statement, and if the packet matches the conditions in the term's from statement, the packet is accepted.

Each firewall filter has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:

term implicit-rule {

    then discard;

}

Therefore, if a packet matches none of the terms in the filter, it is discarded.