User Guide
57
Service precedence
“IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a
network address, or an alias; and “Any” refers to the special “Any” target (not “Any”
services).
When two icons are representing the same service (for example, two Telnet icons or
two Any icons) they are sorted using the above tables. The most specific one will
always be checked first for a match. If a match is not made, the next specific service
will be checked, and so on, until either a match is made or there are no services left to
check. In the latter case, the packet is denied. For example, if there are two Telnet
icons, telnet_1 allowing from A to B and telnet_2 allowing from C to D, a Telnet
attempt from C to E will first check telnet_1, and then telnet_2. Because no match is
found, the rest of the rules are considered. If an Outgoing service will allow from C to
E, it will do so.
When only one icon is representing a service in a precedence category, only that
service is checked for a match. If the packet matches the service and both targets, the
service rule applies. If the packet matches the service but fails to match either target,
the packet is denied. For example, if there is one Telnet icon allowing from A to B, a
Telnet attempt from A to C will be blocked without considering any services further
down the precedence chain, including Outgoing services.
Any
IP
4
IP
Any
5
Any
List
6
List
Any
7
Any
Any
8
From
To
Rank
Summary of Contents for Firebox FireboxTM System 4.6
Page 1: ...WatchGuard Firebox System User Guide Firebox System 4 6 ...
Page 16: ...6 ...
Page 20: ...LiveSecurity broadcasts 10 ...
Page 44: ...LiveSecurity Event Processor 34 ...
Page 52: ...Defining a Firebox as a DHCP server 42 ...
Page 68: ...Service precedence 58 ...
Page 78: ...Configuring a service for incoming static NAT 68 ...
Page 92: ...Establishing an OOB connection 82 ...
Page 94: ...84 ...
Page 112: ...HostWatch 102 ...
Page 118: ...Working with log files 108 ...
Page 130: ...120 ...
Page 158: ...Configuring debugging options 148 ...