Network packets are both processed by both the Zenarmor and OPNsense firewall rules independently. Zenarmor policy / detection / rules engine runs completely independent of the OPNsense pf / ipfw firewalls
For the incoming packets, the Zenarmor engine has precedence over opnsense firewall rules which means that the Zenarmor engine takes and processes the packets before OPNsense/L2-L4 firewall rules. Incoming packets are first inspected by Zenarmor (since Zenarmor jumps into the scene way before the Operating System), and handed over to the Operating System kernel to be processed by the in-kernel firewalls.
What's important to note here is that, in the incoming case, if Zenarmor blocks a packet, it will not be forwarded to the OS kernel/firewall.
In the outgoing scenario, the packets are processed first in the OPNsense/L4 firewall and if some rule matches and blocks a packet, it will not reach Zenarmor to be processed.
Consider the below table for how they behave in each scenario:
|Zenarmor rule matches||OPNsense/L4 FW rule matches||Final action|
Figure 1. How incoming packets are processed by Zenarmor engine and OPNsense/L4 firewall
Figure 2. How outgoing packets are processed by OPNsense/L4 firewall and Zenarmor engine
In summary, incoming packets are processed by the Zenarmor engine first, and then if the engine lets them pass they are processed by your OPNsense/L4 firewall. On the other hand, outgoing packets are processed by your OPNsense/L4 firewall first. If the firewall allows the outgoing packets to pass they are processed by the Zenarmor engine. For any network packet to pass, it should not match any rule neither on Zenarmor nor on OPNsense/L4 firewall.
To protect your network from cyber attacks securely and effectively, you should first define L4 rules on your OPNsense/L4 firewall. Then, you should enable next-generation firewall capabilities by configuring policy rules on the Zenarmor engine for application control and web filtering(L7 filtering).
Beware that, Zenarmor rules and OPNsense/L4 firewall rules are independent of each other. You must configure your firewall for L4 filtering and enable L7 filtering by configuring Zenarmor separately.