You are viewing a printer friendly version of this ESET Knowledgebase article.

ESET Knowledgebase

ESET Knowledgebase

How do firewall rules function?


Firewall rules prioritization change in ESET Smart Security Premium and ESET Internet Security version 10 and later

In versions 10 and later, it is important to note that the ESET firewall evaluates rules from top to bottom. The action of the first matching rule is used for each network connection being evaluated. This is an important behavioral change from version 9.x, in which the priority of rules was automatic and more specific rules had higher priority than more general ones.

Version 9.x:
The ESET firewall contains a variety of default and user-generated rules. The priority and the function of these rules are based on the parameters set within each rule. To provide a better overview of this process, an outline of the main working principles of rule application can be found below.
  • If two identical rules exist, but one is set to Enable communication and the other to Disable communication, the rule set to Disable will be applied.
  • A rule that is more specific has higher priority than a less specific rule. Whether a rule is more or less specific is determined by the four basic parameters of the rule, which take priority in the following order:

    1. Application
    2. Remote address (IP address, subnet, address range, zone)
    3. Remote port
    4. Local port

    Other parameters (direction of communication, protocol) are not taken into account when determining priority of a rule.

    The rules will be applied based on the priority of parameters they contain. Once a rule has been applied to a specific communication, no other rules can be applied to it.


Consider a situation including these two rules:

Rule 1: Block communication with shared network drives.

Rule 2: Enable communication with shared network drives in the trusted zone.

The priority of rule 2 is higher than rule 1 because rule 2 is more specific. Based on priority, attempts to establish communication with any shared network drives in the trusted zone will be allowed. Communication with shared network drives outside the trusted zone will be blocked.