FWIP.SYS works in the following manner:
- FWIP.SYS is called by the IP layer of the TCP/IP stack for each packet that arrives at the firewall
- The packet is compared to a list of filter rules, starting from the top and working down the list until a match is found
- If a match is found, the rule action (permit or deny) is carried out
- If no match is found, the packet is denied by default
While, strictly speaking, it is not necessary to define specific rules to deny packets (as the firewall's default
rule will catch them) it is advisable to do so, as a precaution against mis-configured 'permit' rules later in the list.
Because FWIP.SYS stops searching through the list when it finds a match, a specific deny rule will catch a
prohibited packet before it has a chance to be matched against any mis-configured rules in the rest the list.