14-6 User’s Reference Guide
packet
first filter
match?
yes
pass or discard?
pass
to network
no
send to next filter
discard (delete)
If the package does not match the first inspector’s criteria, it goes to the second inspector, and so on. You can see that the order of the inspectors in the line is very important.
For example, let’s say the first inspector’s orders are to send along all packages that come from Rome, and the second inspector’s orders are to reject all packages that come from France. If a package arrives from Rome, the first inspector sends it along without allowing the second inspector to see it. A package from Paris is ignored by the first inspector, rejected by the second inspector, and never seen by the others. A package from London is ignored by the first two inspectors, and so it’s seen by the third inspector.
In the same way, filter sets apply their filters in a particular order. The first filter applied can pass or discard a packet before that packet ever reaches any of the other filters. If the first filter can neither pass nor discard the packet (because it cannot match any criteria), the second filter has a chance to pass or reject it, and so on.
Because of this hierarchical structure, each filter is said to have a priority. The first filter has the highest priority, and the last filter has the lowest priority.
