Think of iIoO as different stages of processing on the firewall, but bear in mind that these four inspection/capture points are only relevant to traffic that is not accelerated at all and is going through the Firewall Path (F2F); this is what the command fw ctl chain is showing. Unaccelerated packets that are permitted through the firewall will cross all four capture points. Traffic that is partially or fully accelerated (via the PXL or SXL paths, respectively) takes a "shorter" path across the firewall as shown in the diagram below excerpted from my book:
Not every Firewall Path operation below has its own dedicated chain module, and many of these operations occur inside the same chain module. The vast majority of firewall security operations (and possible drops) happen on the inbound/client side of the firewall kernel between "i" and "I" such as:
Between "I" and "o" the Gaia IP driver performs routing.
Between "o" and "O" on the outbound/server side of the firewall kernel, the following types of operations occur:
Obviously things get a lot more complicated if the traffic is accelerated; you can get a basic sense of how much traffic is accelerated on your firewall by running fwaccel stats -s.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
