156Filter priorityContinuing the customs inspectors analogy, imagine theinspectors lined up to examine a package. If the packagematches the first inspector’s criteria, the package is eitherrejected or passed on to its destination, depending on thefirst inspector’s particular orders. In this case, the packageis never seen by the remaining inspectors.If the package does not match the first inspector’s criteria,it goes to the second inspector, and so on. You can see thatthe order of the inspectors in the line is very important.For example, let’s say the first inspector’s orders are tosend along all packages that come from Rome, and the sec-ond inspector’s orders are to reject all packages that comefrom France. If a package arrives from Rome, the firstinspector sends it along without allowing the second inspec-tor to see it. A package from Paris is ignored by the firstinspector, rejected by the second inspector, and never seenby the others. A package from London is ignored by the firsttwo inspectors, so it’s seen by the third inspector.In the same way, filter sets apply their filters in a particularorder. The first filter applied can forward or discard a packetbefore that packet ever reaches any of the other filters. If the first filter can neither forwardnor discard the packet (because it cannot match any criteria), the second filter has achance to forward or reject it, and so on. Because of this hierarchical structure, each filteris said to have a priority. The first filter has the highest priority, and the last filter has thelowest priority.How individual filters workAs described above, a filter applies criteria to an IP packet and then takes one of threeactions:• Forwards the packet to the local or remote network• Blocks (discards) the packet• Ignores the packetA filter forwards or blocks a packet only if it finds a match after applying its criteria. Whenno match occurs, the filter ignores the packet.packetfirstfiltermatch?yesforwarddiscard?to networkdiscard(delete)forwardnoto nextfiltersendor