PacketFlow Firewall Generator







Project Page

Rule Ordering

The most important thing to understand about PacketFlow is the order in which it produces rules. This becomes especially important when using wildcard interfaces. Rules are generated from most specific to least specific, specifically:
  • Forward Rules
    • Drop unclean packets
      These are packets that have invalid checksums, incorrect combinations of flags, or incorrect fragmentation.

    • Allow established connections
      These are connections that are already open and known by the firewall.

    • Drop packets that won't initiate a new connection
      These are TCP packets that are not known connections and also do not have the SYN flag set. After this rule, the following rules deal solely with new connections.

    • User defined rules from one specific interface to another
      These are rules that specify both an incoming and outgoing interface.

    • User defined rules from one specific interface to all interfaces
      These are rules that specify either an incoming or an outgoing address, and have a wildcard interface for the other.

    • Default policy based on security level
      Allow packets to flow from a high security interface to a lower security interface, but not vice-versa.

    • Drop everything else
      Any packets that reach this phase are dropped.

  • Input and Output Rules

    • Drop unclean packets

    • Allow established connections

    • Drop packets that won't initiate a new connection

    • User defined rules to a particular interface

    • User defined rules out a particular interface

    • Drop everything else


The syntax for PacketFlow is fairly simple, and can largely be learned by looking at the samples. However, some things require explanation.

Interface Section

Interfaces have several properties. First of all, an "interface" is abstracted away from just being a device. An interface specifies which device it actually specifies. This makes restructuring of networks easier.

The second property of an interface is the security level. This has no meaning except in relation to the other security levels. This is used to generate the default policy mentioned above. If the incoming interface has a higher security level than the outgoing interface, packets are allowed to flow. If the incoming interface has a lower or equal security level, packets are not allowed to flow.

Access List Section

Access lists can have both an incoming and an outgoing interface specified. If both are supplied, the rules in that access list apply only to packets moving from the incoming to the outgoing. If one of the interfaces is a wildcard (indicated by a *), it is matched by all interfaces. If only an incoming interface is specified, it indicates an input rule. If only an outgoing interface is specified, it indicates an output rule.

You can specify either "permit" or "deny" for the action. Deny indicates that the packet is to be dropped completely, with no response of any kind. This will result in a host not responding to anything, including ping.


Until documentation is complete, the best way to learn how to use PacketFlow is to read the samples. Start with the basic dialup and cable samples, and work your way up to the DMZ and multi-DMZ examples. These examples illustrate most of the available features. Logo