The Principle of First-Match
Firewalls parse Access Control Lists (ACLs) sequentially from top to bottom. The first rule that matches a packet's properties (source, destination, protocol, port) determines the action (Pass or Block). Once a match is made, parsing stops.
What is Rule Shadowing?
Rule shadowing occurs when a rule higher in the ACL completely matches all traffic that a lower rule would match. As a result, the lower rule is never evaluated.
Example of Shadowing:
- **Rule 1 (Top):** Pass Protocol `TCP` Source `Any` Destination `Any` Port `80`
- **Rule 2 (Bottom):** Block Protocol `TCP` Source `192.168.1.50` Destination `Any` Port `80`
Here, **Rule 2** is shadowed by **Rule 1** because any TCP packet on port 80 from `192.168.1.50` will be passed by Rule 1 and never reach Rule 2. This creates a security vulnerability.
Redundancy vs. Shadowing
- **Shadowing:** A broader rule is above a narrower rule, neutralizing the narrower one.
- **Redundancy:** A rule is identical to or narrower than a rule above it, meaning it does not alter the security policy but adds unnecessary parsing overhead.