6.5.1.1. Evaluating firewall rules

When Application-level Gateway receives a connection request from a client, it tries to select a rule matching the parameters of the connection. The following parameters are considered.

Name in MCName in policy.py
VPNreqid
Source Interfacesrc_iface
Source Interface Groupsrc_ifgroup
Protocolproto
ICMP typeicmp_type
ICMP codeicmp_code
Source Portsrc_port
Destination Portdst_port
Source Subnetsrc_subnet
Source Zonesrc_zone
Destination Subnetdst_subnet
Destination Interfacedst_iface
Destination Interface Groupdst_ifgroup
Destination Zonedst_zone

Table 6.2. Evaluated Rule parameters

If a connections matches multiple rules, then the rule with the most-specific match is selected. Selecting the most specific rule is based on the following method.

  • The order of the rules is not important.

  • The parameters of the connection act as filters: if you do not set any parameters, the rule will match any connection.

  • If multiple connections would match a connection, the rule with the most-specific match is selected.

    For example, you have configured two rules: the first has the Source Zone parameter set as the office (which is a zone covering all of your client IP addresses), the second has the Source Subnet parameter set as 192.168.15.15/32. The other parameters of the rules are the same. If a connection request arrives from the 192.168.15.15/32 address, Application-level Gateway will select the second rule. The first rule will match every other client request.

  • Application-level Gateway considers the parameters of a connection in groups. The first group is the least-specific, the last one is the most-specific. The parameter groups are listed below.

  • The parameter groups are linked with a logical AND operator: if parameters of multiple groups are set in a rule, the connection request must match a parameter of every group. For example, if both the Source Interface and Destination Port are set, the connection must match both parameters.

  • Parameters within the same group are linked with a logical OR operator: if multiple parameters of a group are set for a rule, the connection must match any one of the parameters. If there are multiple similar rules, the rule with the most specific parameter match for the connection will be selected.

    Note

    In general, avoid using multiple parameters of the same group in one rule, as it may lead to undesired side-effects. Use only the most specific parameter matching your requirements.

    For example, suppose that you have a rule with the Destination Zone parameter set, and you want to create a similar rule for a specific subnet of this zone. In this case, create a new rule with the Destination Subnet parameter set, do not set the Destination Zone parameter in both rules. Setting the Destination Zone parameter in both rules and setting the Destination Subnet parameter in the second rule would work for connections targeting the specified subnet, but it would cause Application-level Gateway to reject the connections that target other subnets of the specified destination zone, because both rules would match for the connection.

  • The parameter groups are the following from the least specific to the most specific ones. Parameters within each group are listed from left to right from the least specific to the most specific ones.

    1. Destination Zone > Destination Interface Group > Destination Interface > Destination Subnet

    2. Source Zone > Source Subnet

    3. Destination Port (Note that port is more specific than port range.)

    4. Source Port (Note that port is more specific than port range.)

    5. Protocol

    6. Source Interface Group > Source Interface > VPN

  • If no matching rule is found, Application-level Gateway rejects the connection.

    Note

    It is possible to create rules that are very similar, making debugging difficult.