Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Order of Policies

pfahsel
2009-02-09
2013-03-05
  • pfahsel
    pfahsel
    2009-02-09

    I am currently using fwbuilder 3.0.3 to build a firewall with a compex ruleset. I would like to use the possibility of creating multiple policies to group related rules. But I cannot find any information how to set the order of the rulesets and how the order of rules are affected by the "Top Ruleset" switch. Can someone explain this please?

     
    • Vadim Kurland
      Vadim Kurland
      2009-02-09

      I assume you use iptables.

      Different policy objects translate into different user-defined chains for iptables. The name of each chain matches the name of the corresponding Policy object. Since different chains are never merged into one, the order in which they are added to the generated script does not matter.

      "Top ruleset" option, when checked, makes compiler put rules into built-in iptables chains INPUT/OUTPUT/FORWARD instead of the user-defined chain. It is recommended that you have only one "top" ruleset for the filter table and possibly one more for the mangle table. If you mark two rule sets as "top", compiler will put rules from both into built-in chains which will merge two rulesets together. The order in this case is the same as the order in which they were created, which may not be obvious and not what you expect. This is not recommended.

      This is illustrated in the following slide shows

      http://www.fwbuilder.org/slideshows/tutorial_3/slide_1.html
      http://www.fwbuilder.org/slideshows/fwb3_block_ssh_scans_1/slide_1.html
      http://www.fwbuilder.org/slideshows/fwb3_branch_rules/slide_1.html