Hi, thank you for the reply.
I had already read the wiki but i continue to not understand, so i wrote...
So...
1)
the drop rule at he end must be 1 and only 1, right?
So, if i add in the future some new rules, i must insert before the "drop all" rule that was at the end, right?
I'll must move at the end again the drop all rule, right?
In some examples groups of rules i found some times "drop input" (with no other specifications, so... drop all!) not at the end!
?? In this case all following rules will never be read???
2)
Then, you and wiki wrote:
If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action)
So, assuming not to receive attacks every second, and assuming that the router works more for my rules than for the attacks received, and as the firewall work from top to bottom, in order to make to work the CPU less, is it better to put my network rules first? (And then the rules to make attack protection...)
So the router doesn't read every time all those rules that maybe don't need... right?
Thank you.
3)
If i disable a service and don't NAT or open the port of that service, can i disable the relatives rules?
Example, disable FTP service, so i don't need to open 21 port and add firewall rules... right?
4)
Internal the same rule, for example an accept rule, is all i add intrpreted with OR or AND by firewall??
Example, accept rule: connection match an address-list, in-interface, out-interface, connection-nat-state=dstnat
are all this options read as OR or AND logic?
Thank you.