Service precedence
From | To | Rank |
|
|
|
Any | IP | 4 |
|
|
|
IP | Any | 5 |
|
|
|
Any | List | 6 |
|
|
|
List | Any | 7 |
|
|
|
Any | Any | 8 |
“IP” refers to exactly one host IP address; “List” refers to multiple host IP addresses, a network address, or an alias; and “Any” refers to the special “Any” target (not “Any” services).
When two icons are representing the same service (for example, two Telnet icons or two Any icons) they are sorted using the above tables. The most specific one will always be checked first for a match. If a match is not made, the next specific service will be checked, and so on, until either a match is made or there are no services left to check. In the latter case, the packet is denied. For example, if there are two Telnet icons, telnet_1 allowing from A to B and telnet_2 allowing from C to D, a Telnet attempt from C to E will first check telnet_1, and then telnet_2. Because no match is found, the rest of the rules are considered. If an Outgoing service will allow from C to E, it will do so.
When only one icon is representing a service in a precedence category, only that service is checked for a match. If the packet matches the service and both targets, the service rule applies. If the packet matches the service but fails to match either target, the packet is denied. For example, if there is one Telnet icon allowing from A to B, a Telnet attempt from A to C will be blocked without considering any services further down the precedence chain, including Outgoing services.
User Guide | 57 |
