WatchGuard Technologies FireboxTM System 4.6 User Manual

User Guide

57

Service precedence

“IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a
network address, or an alias; and “Any” refers to the special “Any” target (not “Any”
services).

When two icons are representing the same service (for example, two Telnet icons or
two Any icons) they are sorted using the above tables. The most specific one will
always be checked first for a match. If a match is not made, the next specific service
will be checked, and so on, until either a match is made or there are no services left to
check. In the latter case, the packet is denied. For example, if there are two Telnet
icons, telnet_1 allowing from A to B and telnet_2 allowing from C to D, a Telnet
attempt from C to E will first check telnet_1, and then telnet_2. Because no match is
found, the rest of the rules are considered. If an Outgoing service will allow from C to
E, it will do so.

When only one icon is representing a service in a precedence category, only that
service is checked for a match. If the packet matches the service and both targets, the
service rule applies. If the packet matches the service but fails to match either target,
the packet is denied. For example, if there is one Telnet icon allowing from A to B, a
Telnet attempt from A to C will be blocked without considering any services further
down the precedence chain, including Outgoing services.

Any

IP

4

IP

Any

5

Any

List

6

List

Any

7

Any

Any

8

From

To

Rank