Table of Contents
Advertisement
12.5.1 Stateful Inspection Process
In this example, the following sequence of events occurs when a TCP packet leaves the LAN network through
the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application layer protocol
is configured for a firewall rule inspection:
1. The packet travels from the firewall's LAN to the WAN.
2. The packet is evaluated against the interface's existing outbound access list, and the packet is permitted
(a denied packet would simply be dropped at this point).
3. The packet is inspected by the firewall to determine and record information about the state of the
packet's connection. This information is recorded in a new state table entry created for the new
connection. If there is not a firewall rule for this packet and it is not an attack, then Firewall Summary
screen's Action for packets that don't match firewall rules field determines the action for this
packet.
4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is
inserted at the beginning of the WAN interface's inbound extended access list. This temporary access
list entry is designed to permit inbound packets of the same connection as the outbound packet just
inspected.
5. The outbound packet is forwarded out through the interface.
6. Later, an inbound packet reaches the interface. This packet is part of the connection previously
established with the outbound packet. The inbound packet is evaluated against the inbound access list,
and is permitted because of the temporary access list entry previously created.
7. The packet is inspected by a firewall rule, and the connection's state table entry is updated as necessary.
Based on the updated state information, the inbound extended access list temporary entries might be
modified, in order to permit only packets that are valid for the current state of the connection.
8. Any additional inbound or outbound packets that belong to the connection are inspected to update the
state table entry and to modify the temporary inbound access list entries as required, and are forwarded
through the interface.
When the connection terminates or times out, the connection's state table entry is deleted and the
9.
connection's temporary inbound access list entries are deleted.
12.5.2 Stateful Inspection and the ZyXEL device
Additional rules may be defined to extend or override the default rules. For example, a rule may be created
which will:
1. Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the Internet.
2. Allow certain types of traffic from the Internet to specific hosts on the LAN.
3. Allow access to a Web server to everyone but competitors.
4. Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.
These custom rules work by evaluating the network traffic's Source IP address, Destination IP address, IP
protocol type, and comparing these to rules set by the administrator.
The ability to define firewall rules is a very powerful tool. Using custom rules, it is
possible to disable all firewall protection or block all access to the Internet. Use
extreme caution when creating or deleting firewall rules. Test changes after creating
Configuration > Firewall
them to make sure they work correctly.
Vantage CNM 2.0
12-5
Advertisement
Table of Contents
