Firewall rules are processed in a strict order. The firewall always checks rules from the smallest position number to the largest and stops as soon as it finds a matching rule.
If the order is wrong, allowed traffic can be blocked or blocked traffic can pass.
This article explains exactly how rule order works using a simple ICMP ping example.
How firewall rule order works
Every firewall rule has a Position value.
Lower position numbers are evaluated first.
The firewall logic works like this:
Position 0 is evaluated first
Position 1 is evaluated second
Position 2 is evaluated third
And so on
As soon as a rule matches the traffic, the firewall applies the action (ACCEPT or REJECT) and stops checking the rest of the rules.
Important behavior when creating rules
There are two details that often confuse users.
Rule position is assigned automatically
When you create your first rule, it is placed at position 0.
When you create a second rule, the new rule becomes position 0 and the existing rule is pushed to position 1.
Each new rule is always inserted at the top.
Rules reordering
If you created a rule and placed it incorrectly, you can reposition it later using drag and drop.
Hold the left mouse button and move it to the desired position.
Example scenario used in this guide
We will use three simple inbound rules to show how order affects behavior:
Block all incoming traffic
Allow ICMP ping from a single home IP
Allow ICMP ping from all IPs
Images 1, 2, and 3 show how these rules are created in the control panel.
Step 1 β Block all incoming traffic
The first rule blocks all inbound traffic.
Type: in
Action: REJECT
Interface: net0
Protocol: None
This rule acts as a catch-all deny rule.
If this rule is evaluated first, no other rule below it will ever matter.
Step 2 β Allow ping from a single IP
The second rule allows ICMP traffic from one specific IP address.
Type: in
Action: ACCEPT
Interface: net0
Protocol: ICMP
Source: your home IP
This rule must be above the deny-all rule to work.
Step 3 β Allow ping from all IPs
The third rule allows ICMP traffic from any source.
Type: in
Action: ACCEPT
Interface: net0
Protocol: ICMP
This rule is broader and should be evaluated before the deny-all rule.
Correct rule order in practice
Next image shows the final rule list with positions clearly visible.
The correct order is:
Position 0: Allow all ping
Position 1: Allow ping from home IP
Position 2: Deny all incoming
With this order:
ICMP traffic matches the allow rules first
All other inbound traffic hits the deny rule
Testing with only the deny rule enabled
When only the deny-all rule is enabled.
Below images show the result from two different systems:
Ping requests time out
The VPS does not respond
This confirms that the deny rule is working.
Testing allow ping from a single IP
When the rule allowing ping from the home IP is enabled.
Results:
Image shows successful ping replies from the home system
While next Image shows timeouts from a different IP
This proves that rule matching stops at the first valid rule.
Testing allow ping from all IPs
Next the allow-all-ping rule is enabled.
Now:
Ping works from the home IP
Ping also works from other IPs
At this point, the single-IP ping rule becomes redundant since all IPs are already allowed.
You can safely disable or remove it.
Key takeaways
Firewall rules are evaluated from the lowest position number to the highest
The first matching rule always wins
New rules are inserted at position 0
Rules can be reordered after creation
Always create allow rules before deny rules
Understanding this rule order is essential for building secure and predictable firewall configurations.