ZyXEL p-660h-61 Guia Do Utilizador
Prestige 660H Series User’s Guide
10-8
Firewalls
The ability to define firewall rules is a very powerful tool. Using
custom rules, it is possible to disable all firewall protection or
block all access to the Internet. Use extreme caution when creating
or deleting firewall rules. Test changes after creating them to make
sure they work correctly.
block all access to the Internet. Use extreme caution when creating
or deleting firewall rules. Test changes after creating them to make
sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may either be
defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual
connections" created for UDP and ICMP).
defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual
connections" created for UDP and ICMP).
10.5.3 TCP Security
The Prestige uses state information embedded in TCP packets. The first packet of any new connection
has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not
have this flag structure are called "subsequent" packets, since they represent data that occurs later in
the TCP stream.
has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not
have this flag structure are called "subsequent" packets, since they represent data that occurs later in
the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a connection
from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown
next), these packets are dropped and logged.
from the Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown
next), these packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a connection
from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the
case with the default policy), the connection will be allowed. A cache entry is added which includes
connection information such as IP addresses, TCP ports, sequence numbers, etc.
from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the
case with the default policy), the connection will be allowed. A cache entry is added which includes
connection information such as IP addresses, TCP ports, sequence numbers, etc.
When the Prestige receives any subsequent packet (from the Internet or from the LAN), its connection
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the
LAN).
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the
LAN).
10.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
However, at the very minimum, they contain an IP address pair (source and destination). UDP also
contains port pairs, and ICMP has type and code information. All of this data can be analyzed in order
to build "virtual connections" in the cache.
However, at the very minimum, they contain an IP address pair (source and destination). UDP also
contains port pairs, and ICMP has type and code information. All of this data can be analyzed in order
to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and
port pairs will be stored. For a short period of time, UDP packets from the WAN that have matching
IP and UDP information will be allowed back in through the firewall.
port pairs will be stored. For a short period of time, UDP packets from the WAN that have matching
IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the Prestige is even more restrictive. Specifically, only
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow
incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp
replies. No other ICMP packets are allowed in through the firewall, simply because they are too
dangerous and contain too little tracking information. For instance, ICMP redirect packets are never
allowed in, since they could be used to reroute traffic through attacking machines.
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow
incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp
replies. No other ICMP packets are allowed in through the firewall, simply because they are too
dangerous and contain too little tracking information. For instance, ICMP redirect packets are never
allowed in, since they could be used to reroute traffic through attacking machines.
10.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections
simultaneously. In general terms, they usually have a "control connection" which is used for sending
simultaneously. In general terms, they usually have a "control connection" which is used for sending