Order of filter/firewall rules

Sil0x0000 · May 2, 2014, 9:08am

Hello everybody,

I tried to set-up my first RouterOS board (a RB493AH). I was wondering in what order are router rules or bridge filter rules applied?

For example the following set of rules for the same ‘chain’:
rule 1) deny all IP traffic
rule 2) allow traffic from/to IP address x.x.x.x
rule 3) allow traffic from/to UDP port xxx

Which of the following statements applies:

Are they applied in order and since rule 1 matches all traffic rule 2 and 3 are ignored and thus everything (IP) is denied
Are they applied in order and since rule 2 is applied later traffic from ip x.x.x.x is allowed
Are they applied as in ‘deny over allow’ or ‘allow over deny’

Another question:
When a rule contains several properties. Are those properties AND-ed or OR-ed to be matched.

Thanls in advance

Best regards,

Xander

CelticComms · May 2, 2014, 4:21pm

The rules are applied from top to bottom (If looking in Webfig / Winbox) or from lowest to highest sequence number if in the CLI. Unlike some platforms (e.g. Cisco ACLs) there is no implicit deny so if you need one (e.g. configuring a firewall) you need to add one manually.

Conditions in a rule are combined with a logical AND.

Rudios · May 2, 2014, 7:49pm

I have to add that once a rule applied, the remaining rules are not checked for the same packet.
So first hit will be applied.

Sil0x0000 · May 5, 2014, 7:53am

Thank you very much that was really help full. Would it be helpful to add that to the wiki pages?

Rudios · May 8, 2014, 11:09am

It could, but it is also more of a generic way of firewall rule processing.
In a quick thought about different brands, they all run first match, top to bottom.