ZyXEL Communications G-2000 Plus Manual Do Utilizador
ZyAIR G-2000 Plus User’s Guide
Chapter 14 Firewalls
186
3 The firewall inspects packets to determine and record information about the state of the
packet's connection. This information is recorded in a new state table entry created for the
new connection. If there is not a firewall rule for this packet and it is not an attack, then
the setting in the Firewall Default Rule screen determines the action for this packet.
new connection. If there is not a firewall rule for this packet and it is not an attack, then
the setting in the Firewall Default Rule screen determines the action for this packet.
4 Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.
5 The outbound packet is forwarded out through the interface.
6 Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated against
the inbound access list, and is permitted because of the temporary access list entry
previously created.
the inbound access list, and is permitted because of the temporary access list entry
previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is updated
as necessary. Based on the updated state information, the inbound extended access list
temporary entries might be modified, in order to permit only packets that are valid for the
current state of the connection.
temporary entries might be modified, in order to permit only packets that are valid for the
current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.
required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.
14.5.2 Stateful Inspection and the ZyAIR
Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:
may be created which will:
1 Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
2 Allow certain types of traffic from the Internet to specific hosts on the LAN.
3 Allow access to a Web server to everyone but competitors.
4 Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic’s Source IP address, Destination IP
address, IP protocol type, and comparing these to rules set by the administrator.
address, IP protocol type, and comparing these to rules set by the administrator.
Note: The ability to define firewall rules is a very powerful tool.
Using custom rules, it is possible to disable all firewall
protection or block all access to the Internet. Use extreme
caution when creating or deleting firewall rules. Test changes
after creating them to make sure they work correctly.
Using custom rules, it is possible to disable all firewall
protection or block all access to the Internet. Use extreme
caution when creating or deleting firewall rules. Test changes
after creating them to make sure they work correctly.