Simulator Inputs
Formula Used
A rule matches a packet only when all specified filters match: direction, interface, protocol, source CIDR, destination CIDR, and ports.
- CIDR match: Convert IPs to 32‑bit values, apply subnet mask, and compare network bits.
- Port match: Packet port must fall inside the configured range (from–to). Empty means any.
- Rule order: Rules are sorted by ascending priority, then original order.
- Decision: first_match stops on first match, last_match uses the last matching rule, most_specific selects the highest specificity score.
Specificity Score (0–10): +1 protocol, +1 direction, +1 interface, +2 src CIDR, +2 dst CIDR, +1 src port, +2 dst port.
How to Use This Calculator
- Enter a packet’s source/destination IP, protocol, ports, direction, and interface.
- Choose a default policy for unmatched traffic.
- Select an evaluation mode that matches your environment’s behavior.
- Add rules, assign priorities, and set fields to ANY when not needed.
- Click Simulate to see the decision, matched rule, and trace.
- Download CSV or PDF to share audit-ready results.
Example Data Table
| Priority | Action | Direction | Interface | Protocol | Src CIDR | Src Port | Dst CIDR | Dst Port |
|---|---|---|---|---|---|---|---|---|
| 10 | ALLOW | INBOUND | WAN | TCP | 192.168.1.0/24 | 1024–65535 | 10.0.0.20/32 | 443 |
| 20 | DENY | INBOUND | WAN | ANY | any | any | 10.0.0.0/8 | any |
| Src | 192.168.1.10:51515 |
|---|---|
| Dst | 10.0.0.20:443 |
| Protocol | TCP |
| Direction | INBOUND |
| Interface | WAN |
| Expected | ALLOW |
Priority Ordering and Outcomes
This simulator evaluates rules by ascending priority, then by original order when priorities tie. That mirrors the “top‑down” approach used in many policy engines. A packet becomes a single decision: ALLOW or DENY. If no rule matches, the default policy applies. The trace view helps you see how many rules were checked before a match, so you can move high‑volume rules earlier and reduce unnecessary evaluations. Small priority changes can flip outcomes when two rules both match.
CIDR and Port Scope
Traffic scope is defined with IPv4 CIDR and port ranges. CIDR runs from /0 to /32, mapping a 32‑bit address space into network prefixes, while ports span 0–65535 for TCP and UDP. Leaving a field empty (or using “any”) removes that constraint. This makes it easy to express common patterns such as “any source, destination 10.0.0.0/8, TCP 443 only” without writing multiple redundant rules.
Specificity and Overlaps
Overlapping rules are inevitable in real policies. To highlight intent, the calculator assigns a specificity score from 0 to 10: protocol, direction, and interface add focus, while CIDR and destination ports add stronger weight. In “most specific” mode, the highest score wins among matching rules, reducing accidental broad permits. Use this to find rules that are too generic and to justify tighter CIDR or port boundaries.
Trace Logs and Exports
Operational teams need evidence. The trace table records each rule’s action, match status, and the reason for failure or success. Exporting CSV supports ticket attachments and change reviews, while PDF provides a compact summary for audits. Because the output includes packet fields, matched priority, and specificity, reviewers can validate both the final decision and the exact path taken to reach it.
Change Testing Workflow
Use the simulator as a pre‑deployment test harness. Start with a baseline packet, then vary one attribute at a time: destination port, direction, or source CIDR. Confirm that intended traffic remains allowed and that sensitive services remain denied. When you add a new exception, check for side effects by testing adjacent ports and nearby subnets, and keep the default policy conservative until coverage is proven.
FAQs
What does “First match wins” mean?
Rules are evaluated from lowest priority number upward. The simulation stops at the first rule that fully matches the packet, and that rule’s action becomes the decision. This is useful when your firewall processes rules sequentially.
When should I use “Last match wins”?
Use it to mimic systems where later rules override earlier ones. The simulator evaluates all rules, collects matches, and applies the action of the last matching rule. Enable trace to confirm which rules matched along the way.
How is the specificity score calculated?
The score ranges 0–10. It adds points for constraining protocol, direction, and interface, plus stronger weight for source and destination CIDR, and for destination ports. In most‑specific mode, the highest score among matches is selected.
Why are ports disabled for ICMP?
ICMP does not use TCP or UDP port numbers. The simulator ignores port fields when protocol is ICMP, so rules should rely on CIDR, direction, and interface for matching. For ping testing, keep ports blank or any.
What is the safest default policy?
Default DENY is generally safer because it blocks traffic that is not explicitly allowed. You can temporarily set ALLOW for lab testing, but revert to DENY for production‑style simulations to avoid missing coverage.
How do I troubleshoot an unexpected DENY?
Turn on trace, then check the first rule that should have matched. Verify the packet’s direction, interface, protocol, CIDR, and ports. A single mismatch prevents a match. Also watch for an earlier deny rule with higher priority.