0 Kudos

Allow further firewall rule processing after a match

Submitted by -
Status: Won't Implement

Right now the first firewall rule wins and no further rules are being processed. In a lot of firewalls it is common to have further rules down the chain override an earlier rule, e.g in DrayTek firewalls you can say 'Block unless a further rule passes' or 'Pass unless a further rule blocks'.

 

In PF you would have a 'quick' keyword to end processing right there when the rule matches, like the USG does right now, but otherwise it would continue processing rules until a definitive match is made.

 

This would making rules like 'block everyone, but allow a specific host' much easier.

Comments
by Ubiquiti Employee
on ‎05-07-2018 10:42 PM
Status changed to: Won't Implement

Firewall rules as they are already confuse people. Adding the option for choosing first match or last match would just exacerbate that. Most similar products are first match wins. Rule ordering accommodates every use case that changing match order would, without adding complexity.