Dos (Denial Of Service) Protection; Firewall And Access Control List (Acl); Priority Order Of Acl Rule; Tracking Connection State - Asus iPBX30 User Manual

Chapter 9 iPBX30 User Manual
stateful packet inspection; it is enabled by default when the firewall
is enabled. Please refer to section 9.3.1 "Firewall " to enable or
disable firewall service on the iPBX30.

9.1.2 DoS (Denial of Service) Protection

Both DoS protection and stateful packet inspection provide first line
of defense for your network. No configuration is required for both
protections on your network as long as firewall is enabled for the
iPBX30. By default, the firewall is enabled at the factory. Please
refer to section 9.3.1 "Firewall " to enable or disable firewall service
on the iPBX30.

9.1.3 Firewall and Access Control List (ACL)

9.1.3.1 Priority Order of ACL Rule

All ACL rules have a rule ID assigned – the smaller the rule ID, the
higher the priority. Firewall monitors the traffic by extracting header
information from the packet and then either drops or forwards the
packet by looking for a match in the ACL rule table based on the
header information.
The ACL rule checking starts from the rule with the smallest rule ID
until a match is found or all the ACL rules are examined. If no match
is found, the packet is dropped; otherwise, the packet is either
dropped or forwarded based on the action defined in the matched
ACL rule.

9.1.3.2 Tracking Connection State

The stateful packet inspection engine in the firewall keeps track
of the state, or progress, of a network connection. By storing
information about each connection in a state table, iPBX30 is able
to quickly determine if a packet passing through the firewall belongs
to an already established connection. If it does, it is passed through
the firewall without going through ACL rule evaluation.
For example, an ACL rule allows outbound ICMP packet from
192.168.1.1 to 192.168.2.1. When 192.168.1.1 send an ICMP echo
62