From owner-freebsd-questions@freebsd.org Thu Jul 27 16:23:35 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70B7BDCED71 for ; Thu, 27 Jul 2017 16:23:35 +0000 (UTC) (envelope-from makketronics@gmail.com) Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D98381167 for ; Thu, 27 Jul 2017 16:23:35 +0000 (UTC) (envelope-from makketronics@gmail.com) Received: by mail-qk0-x230.google.com with SMTP id x191so39112576qka.5 for ; Thu, 27 Jul 2017 09:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=kFIakcpVH49IHRlCXMSpChcDSZgYJZkaDwHf4HtxDAs=; b=tbEj2NSwUUeiRUlFjSC93lnteq+OEll+oOEPCFaB5atJinWPLlaE/5lPZcaKmpHzCP g2kavb8xX5QgNKBm53sw3GmbZ1XIsvHuGQ0nFTeDQ8n+9XRUOAZ82QueIMwGD2yUO1uP weR6APt0eXtcc+LBOkot6GFg0JjE3b7mbq8cq/K6pJ9Rhvy4pBklhOho2uEDFQ3atHxl YStj5G61k4vGz9f4Rvq0U0vshoVEMFWV0i7Fq4waRpAnTr7oK8UpFw7/RHOFJS/A9VGc dQk/aib3R1F/2p3IbAqV+x42RO9/sJLGzwrYPKXlpEQoLQ8xzcaFWXfCI+gpmWXO/jk6 LLRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=kFIakcpVH49IHRlCXMSpChcDSZgYJZkaDwHf4HtxDAs=; b=VP0PuVX4dyMURfsHrIIjiDKWU2hLS+Q3LZ8O9sLtAHTtgJxfPBaBJ6nfF7y6U2CKTB NgqelxWFloc2wmADMQB2NWhNFPz4FXmkrEuY0YTkcTQXp87H4WMnC62KLW0MHfdvlk2L CcFhFx472vteFIKnnhuFnalXyXaRkyfrxHKdyfhdkaNMctyEJQZQA5cxsrCzHzrctowi JyN3y5Ez8kn8a4DwWG9RWCsErUYr0HxR3fOb0TmqytqqYcj3JMk/bFw5LXZUFmW/LpRp OGQMfa5gMgKhBf3kyPwIOKZ5LmMLw8ugFkrD94ZImAng5fta13GipCqQJmIIDIj45mr1 fGDA== X-Gm-Message-State: AIVw111eFelILnxU8HF0ohXKR7zmXFNRVAr7nFhWVSNGQHdMq6myDw+q uHI4HQhr0Srf/l/GibbaHlHSrCE3A52w X-Received: by 10.55.2.132 with SMTP id v4mr6176274qkg.313.1501172614088; Thu, 27 Jul 2017 09:23:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.89.10 with HTTP; Thu, 27 Jul 2017 09:23:33 -0700 (PDT) From: Makketron Date: Thu, 27 Jul 2017 12:23:33 -0400 Message-ID: Subject: Question regarding IPFW manual page description To: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jul 2017 16:23:35 -0000 Hello, According to https://www.freebsd.org/cgi/man.cgi?ipfw(8) , we have: "Also note that each packet is always checked against the complete rule- set, irrespective of the place where the check occurs, or the source of the packet." According to https://www.freebsd.org/doc/handbook/firewalls-ipfw.html , we have: When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. ... So in the manual pages, when it is said that packet is ALWAYS checked against the COMPLETE ruleset, I understand that if packet matches rule A, it will still be compared against the remaining rule sets, which raises the question, if two rules match, which one wins. Which is the more accurate behavior, the man page or the handbook? Thank you