Understanding How Firewall Filters Are Evaluated

When a firewall filter consists of a single term, the filter is evaluated as follows:

• If the packet matches all the conditions, the action in the then statement is taken.

• If the packet matches all the conditions, and no action is specified in the then statement, the default action accept is taken.

• If the packet does not match all the conditions, the switch discards it.

When a firewall filter consists of more than one term, the filter is evaluated sequentially:

1. The packet is evaluated against the conditions in the from statement in the first term.

2. If the packet matches all the conditions in the term, the action in the then statement is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.

3. If the packet does not match all the conditions in the term, the packet is evaluated against the conditions in the from statement in the second term.

   This process continues until the packet matches all the conditions in the from statement in one of the subsequent terms or there are no more terms in the filter.

4. If a packet passes through all the terms in the filter without a match, the switch discards it.

Figure 1 shows how switches evaluate the terms within a firewall filter.

Figure 1: Evaluation of Terms Within a Firewall Filter

If you do not include a from statement in a term, all packets will match the term and be processed by the then statement. If a term does not contain a then statement or if an action has not been configured in the then statement, the term accepts any matching packets.

Every firewall filter contains an implicit deny statement at the end of the filter, which is equivalent to the following explicit filter term:

Consequently, a packet that does not match any of the terms in a firewall filter is discarded. If you configure a filter that has no terms, all packets that pass through the filter are discarded.