Packet Filter Technical Reference; Filter Types And Nat; Firewall Versus Filters - ZyXEL Communications P-660HW-Tx v3 User Manual

11.3 Packet Filter Technical Reference

This section provides some technical background information about the topics
covered in this chapter.

11.3.1 Filter Types and NAT

There are two classes of filter rules, generic filter rules and protocol filter rules.
Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules
act on the IP packets. When NAT (Network Address Translation) is enabled, the
inside IP address and port number are replaced on a connection-by-connection
basis, which makes it impossible to know the exact address and port on the wire.
Therefore, the ZyXEL Device applies the protocol filters to the "native" IP address
and port number before NAT for outgoing packets and after NAT for incoming
packets. On the other hand, the generic filters are applied to the raw packets that
appear on the wire. They are applied at the point when the ZyXEL Device is
receiving and sending the packets; that is the interface. The interface can be an
Ethernet port or any other hardware port. The following diagram illustrates this.
Figure 79 Protocol and Generic Filter Sets
Route

11.3.2 Firewall Versus Filters

Below are some comparisons between the ZyXEL Device's filtering and firewall
functions.
Packet Filtering
• The router filters packets as they pass through the router's interface according
to the filter rules you designed.
• Packet filtering is a powerful tool, yet can be complex to configure and maintain,
especially if you need a chain of rules to filter a service.
• Packet filtering only checks the header portion of an IP packet.
When To Use Filtering
• To block/allow LAN packets by their MAC addresses.
• To block/allow special IP packets which are neither TCP nor UDP, nor ICMP
packets.
P-660HW-Tx v3 User's Guide
Protocol
NAT
Filters
Chapter 11 Packet Filter
Incoming
Generic
Filters
Outgoing
Interface
219