Configuring Packet Filter - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
Following is how an FTP connection is set up:
Suppose that an FTP Client initiates an FTP control channel connection from its port
1333 to the port 21 of FTP Server. After negotiation, Server initiates a data channel
connection from its port 20 to the port 1600 of Client. The timeout or end of a data
transfer makes a connection deleted.
Following is how FTP detection operates since an FTP connection is set up till it is
disconnected:
1) Check the IP packet sent from the egress interface to the outside and
acknowledges it is an FTP packet based on TCP.
2) Check the port number, acknowledge it as a control connection to create a TACL
and status table for returned packets.
3) Check the FTP control connection packets, makes FTP instruction resolution, and
updates the status table according to the instructions. If there are data channel
establish instructions, then it creates the TACL for other data links. It does not
detect the status of data links.
4) A match detection is performed on returned packets according to protocol type and
then ASPF decides if to pass the packets after referring to the status table and
TACL of the protocol.
5) The status table and TACL are cleared along with the deletion of an FTP
connection.
The detection of single-channel application layer protocols, such as SMTP and HTTP,
is rather simple. A TACL is created and cleared together with the connection.
III. Fundamentals of transport protocol layer detection
Here the transport layer protocol detection refers to TCP/UDP detection. Different from
the application layer protocol detection, the transport layer protocol detects the packet
information of transport layer, such as source address, destination address and port
number. The TCP/UDP detection requires that the packets returned back to the
external interface of ASPF match exactly the packets sent out it, that is, the source
address, destination address and port number are right. Otherwise, the returned
packets will be blocked. Therefore, you cannot establish a connection for the
multi-channel application layer protocols such as FTP and .H.323, if you just configure
TCP detection, but not application layer detection.

6.2 Configuring Packet Filter

Packet filter configuration includes:
Enable or Disable Firewall
Set the Default Filtering Mode of Firewall
Enable Packet Filter Fragment Inspection
Configure High/Low Threshold of Fragment Inspection
Apply ACL on the Interface
3Com Corporation
6-5
Chapter 6 Firewall Configuration