HP-UX IPFilter Version A.03.05.14 Administrator's Guide
Rules and Keywords
Basic Rules Processing
Chapter 2 25
Basic Rules Processing
Rules are processed in order from top to bottom of the rules file. If the
contents of your rules file are as follows, IPFilter processes the rules in
the order they appear from top to bottom:
block in all
pass in all
IPFilter does not stop processing rules after a match is made. Instead, it
acts on the last rule that matches a packet being checked. In the
previous ruleset, all incoming packets match both rules, but all packets
are passed according to the last rule matched, pass in all.
Unlike other packet filters, IPFilter keeps a flag on whether it passes a
packet. Unless the flow is interrupted, IPFilter goes through the entire
ruleset and passes or drops each packet based on the last matching rule.
Given the following ruleset:
block in all
block in all
block in all
block in all
pass in all
All packets pass through. There is no cumulative effect during
processing. The last matching rule always takes precedence.