"Yellow Arrow" question?

Hi Frederic,
Sorry for starting an similar topic, but I have been confused about the 'yellow arrow' for a long time and wonder if you can give some advices.

I understand that:
Normally, this yellow arrow is set in 99.99% cases. In this case, when a packet matches all criteria of a rule, lns applies the rule to this packet immediately, whatever the following rules.

The question confusing me is that:
If I change the 'yellow arrow' to a 'dot', theoretically, lns should continue to match the following rules, even if it has found a matched rule in the ruleset.

A very simple example:

Rule 1: block 139 (turn off 'yellow arrow')
Rule 2: allow 139 (turn on 'yellow arrow')

In this case, if a inbounding packet with the destination port 139 is received, Rule 1 matches, LnS should block this packet.

But, since 'yellow arrow' is NOT checked, LnS will continue to match the following rules with this packet. LnS then matches Rule 2. This packet matches Rule 2 exactly again. But, rule 2 is an allowing rule.
So, Should LnS allow this packet?
Logically, It should (because the 'yellow arrow' of rule 1 is cleared)

I hope I have expressed my question clearly.
Any help would be greatly appreciated.
thanks in advance.

 

Hi nuser,

Yes, the last rule matching the packet is the one that is applied.

So for this example:
Rule 1: block 139 (turn off 'yellow arrow')
Rule 2: allow 139 (turn on 'yellow arrow')

A packet on port 139 will be allowed.

Usually, turning off the "yellow arrow" is only used to add a logging rule at the top of the ruleset, and the block/allow attribute is not relevant.
This kind of rule acts like a sniffer, and doesn't interfer with the rest of the ruleset. This is the only purpose of the "yellow arrow".

Regards,

Frederic

 

thanks, Frederic and Climenole,
I understand now.

The last question:
What will happen if I turn off 'yellow arrow' of the last rule (block All other packets) of ruleset? since there are NO following rules.
Actually, nobody will do that.

 

Hi nuser

Here's, in the series of Climenole's paradoxes ©, the first one:

" In all well built rules set, the last locking rule is mandatory and never used
since, in a such rules set, all packets are processed by one of the previous rules,
therefore the last rule is simultaneously mandatory and unused."

 

Hi, Frederic,
I just tested more and found that the block/allow attribute does affect the filtering result!
Just create an empty rule (click Add, OK), clear the yellow arrow, and set 'logging'
If I set 'allow', all the traffic are logged.
If I set "block', Web browser gets nothing. (blocked really).

 

Yes, you are right the Blocking attribute is anyway handled for rules without the "Yellow Arrow".
But there is no real usage for that. You should not create a blocking rule when you remove the "Yellow Arrow".

Frederic

 

Hi, Frederic,
Seems this statement is wrong

 

Yes, it was. Sorry for that.

Frederic