How Firewall Filters Are Evaluated
When a firewall filter consists of a single term, the filter is evaluated as follows:
- If the packet matches all the conditions, the action in the then statement is taken.
- If the packet matches all the conditions and if there is no action specified in the then statement, the default action accept is used.
- If the packet does not match all the conditions, it is discarded.
When a firewall filter consists of more than one term, the terms in the filter are evaluated sequentially:
- The packet is evaluated against the conditions in the from statement in the first term.
If the packet matches the from statement, the action in the then statement is performed. Then:
- If the next term action is not specified, the evaluation ends. Subsequent terms in the filter are not evaluated.
- If the next term action is present, the evaluation continues to the next term.
- If the packet does not match the from statement
in the first term, it is evaluated against the conditions in the from statement in the second term.
This process continues until either the packet matches the from conditions in one of the subsequent terms or there are no more terms.
Both for filters with a single term and for filters with multiple terms, if a term does not contain a from statement, the action in the term’s then statement is performed on all packets.
If a term does not contain a then statement or if you do not specify an action in the then statement, and if the packet matches the conditions in the term’s from statement, the packet is accepted.
Each firewall filter has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:
Therefore, if a packet matches none of the terms in the filter, it is discarded.
