The Memset Firewalls work by having a series of rules which are used to examine incoming packets according to one or more of their characteristics and contain an action to perform on any matched packet.

Each rule is ordered in the Firewall Editor and that position represents its place in the order of rules. It is important to note that the firewall rules are applied in the order they are selected, to each packet received. When a packet matches a rule, that rule's action is applied and all subsequent rules are then discarded or ignored.

For example, when a packet arrives at the firewall it is compared to rule 1. If it matches rule 1 then the action specified in that rule is applied to the packet. This will be to either allow the packet to pass on to the server or block it. It will not be matched against any further rules. However, if it does not match rule 1 then it proceeds to rule 2 and so on until it matches a rule. All packets that do not match any rules are blocked by default.

The order of the rules is therefore extremely important to ensure that the firewall does what you want it to do.

Consider the following example; you have configured the firewall to allow access to all IP's on the Internet on port 443 in order to view your website. However, there is one IP that is linking to images on your site without permission and you want to block them and only them.

The two rules needed to achieve this are as follows:

  • Allow access from all IP's on port 443
  • Block access from only IP 1.2.3.4

Remembering that once a packet matches a rule all other rules are ignored the following order will not work:

  • Allow access from all IP's on port 443
  • Block access from only IP 1.2.3.4

This order will not work because the first rule will match every incoming packet bound for port 443 and allow them access. The incoming packets from the bad IP 1.2.3.4 will not be filtered because they match the first allow rule and are allowed to proceed to the server. The second block rule will not be applied.

However, this order will work:

  • Block access from only IP 1.2.3.4
  • Allow access from all IP's on port 443

This will work because the first rule will only match the packets from the bad IP so those and only those will get blocked. All other packets will not match rule 1 so will proceed to rule 2 which they will then match and get allowed to pass through to the server.