ZyXEL p-660hwp Manual Do Utilizador
Chapter 10 Firewalls
P-660HWP-Dx User’s Guide
42
6 Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated
against the inbound access list, and is permitted because of the temporary access list
entry previously created.
against the inbound access list, and is permitted because of the temporary access list
entry previously created.
7 The packet is inspected by a firewall rule, and the connection's state table entry is
updated as necessary. Based on the updated state information, the inbound extended
access list temporary entries might be modified, in order to permit only packets that are
valid for the current state of the connection.
access list temporary entries might be modified, in order to permit only packets that are
valid for the current state of the connection.
8 Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.
required, and are forwarded through the interface.
9 When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.
10.5.2 Stateful Inspection and the P-660HWP-Dx
Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:
may be created which will:
• Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the
Internet.
• Allow certain types of traffic from the Internet to specific hosts on the LAN.
• Allow access to a Web server to everyone but competitors.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
• Allow access to a Web server to everyone but competitors.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic’s Source IP address, Destination IP
address, IP protocol type, and comparing these to rules set by the administrator.
address, IP protocol type, and comparing these to rules set by the administrator.
"
The ability to define firewall rules is a very powerful tool. Using custom rules, it
is possible to disable all firewall protection or block all access to the Internet.
Use extreme caution when creating or deleting firewall rules. Test changes after
creating them to make sure they work correctly.
is possible to disable all firewall protection or block all access to the Internet.
Use extreme caution when creating or deleting firewall rules. Test changes after
creating them to make sure they work correctly.
Below is a brief technical description of how these connections are tracked. Connections may
either be defined by the upper protocols (for instance, TCP), or by the P-660HWP-Dx itself (as
with the "virtual connections" created for UDP and ICMP).
either be defined by the upper protocols (for instance, TCP), or by the P-660HWP-Dx itself (as
with the "virtual connections" created for UDP and ICMP).
10.5.3 TCP Security
The P-660HWP-Dx uses state information embedded in TCP packets. The first packet of any
new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.
All packets that do not have this flag structure are called "subsequent" packets, since they
represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer
Protocols" shown next), these packets are dropped and logged.
new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.
All packets that do not have this flag structure are called "subsequent" packets, since they
represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer
Protocols" shown next), these packets are dropped and logged.