PacketFlow Firewall Generator
Rule OrderingThe most important thing to understand about PacketFlow is the order in which it produces rules. This becomes especially important when using wildcard interfaces. Rules are generated from most specific to least specific, specifically:
SyntaxThe syntax for PacketFlow is fairly simple, and can largely be learned by looking at the samples. However, some things require explanation.
Interface SectionInterfaces have several properties. First of all, an "interface" is abstracted away from just being a device. An interface specifies which device it actually specifies. This makes restructuring of networks easier.
The second property of an interface is the security level. This has no meaning except in relation to the other security levels. This is used to generate the default policy mentioned above. If the incoming interface has a higher security level than the outgoing interface, packets are allowed to flow. If the incoming interface has a lower or equal security level, packets are not allowed to flow.
Access List SectionAccess lists can have both an incoming and an outgoing interface specified. If both are supplied, the rules in that access list apply only to packets moving from the incoming to the outgoing. If one of the interfaces is a wildcard (indicated by a *), it is matched by all interfaces. If only an incoming interface is specified, it indicates an input rule. If only an outgoing interface is specified, it indicates an output rule.
You can specify either "permit" or "deny" for the action. Deny indicates that the packet is to be dropped completely, with no response of any kind. This will result in a host not responding to anything, including ping.
SamplesUntil documentation is complete, the best way to learn how to use PacketFlow is to read the samples. Start with the basic dialup and cable samples, and work your way up to the DMZ and multi-DMZ examples. These examples illustrate most of the available features.