group

Description

Identifies the group to which a rule belongs.

Arranging rules in groups can improve performance for complex rule sets. Grouping allows you to arrange rules in a treelike structure instead of a linear list. The advantage of rule grouping is that if a packet fails to match the head rule in a group, the firewall skips the remaining subrules and immediately begins matching against the next group.

When you add rules to a firewall without specifying a rule group, the new rules are added to the default group (group 0). To create a group, use the head keyword, followed by a group number. The number 0 is reserved for the default group. Each group must have a head rule, followed by subrules.

To assign a subrule to a group, use the group keyword, followed by the group number. For example:

block in quick on fei0 all head 1block in quick on fei0 from 10.0.0.0/8 to any group 1pass in on fei0 all group 1block in quick on fei1 all head 2block in quick on fei1 from 10.0.0.0/8 to any group 2pass in on fei1 all group 2

pass in all

See also the head keyword.

Synopsis

{block | pass} {in | out} address_scope group group_number

address_scope can be a unique IP address, an address space, or the keywords !, all, me, or any.

group_number is the number of the rule group to which the rule belongs.