Packet Filtering Actions - McAfee SG310 Administration Manual

Firewall menu options
Packet filtering
NAT rules match packets in a similar manner. However, instead of simply allowing or disallowing traffic, you
can alter the source or destination address or port of the packet as it passes through the firewall. A typical
use of NAT rules is to forward packets destined for your Internet IP address to an internal Web server or
email server on your DMZ or LAN. Refer to
If you are creating a number of packet filter or NAT rules, it is recommended that you define services (such
as Web or email) and addresses (such as your internal Web server, or a trusted external host) under the
Definitions menu option. You can then use these definitions in your rules, which reduces the effort and
administration required for larger rule sets. For procedures on defining services, refer to Definitions.
This section contains the following topics and procedures for packet filtering, incoming access, and custom
firewall rules:
• Packet Filtering page
• Creating a packet filter rule
• Editing a packet filter rule
• Disabling a packet filter rule
• Enabling a packet filter rule
• Deleting a packet filter rule
• Rate limiting a packet filter rule
• Incoming access
• About custom firewall rules

Packet filtering actions

Once a packet has been matched to a rule, the firewall is instructed to perform one of the following actions.
• Allow – The Allow action creates a connection tracking entry for the flow of packets indicated by the
source and destination address and source and destination port of the first packet. Subsequent packets
that have the same address and port information are considered part of the same connection, as are any
responses moving in the opposite direction. A special built-in rule matches all packets that are part of the
same connection and bypasses all further checking of those packets. In this way, legitimate traffic can
traverse the firewall efficiently, even if the configuration has many rules. Once an allow action has been
carried out, all subsequent packets in the connection will not be examined, will not be logged, and will not
be considered in any rate-limiting calculation. For TCP connections, this usually means that the SYN
packet is matched by a rule, and nothing else.
Once a packet is Allowed, no further packet filtering rules are considered.
• Drop – The Drop action does not create a connection tracking entry. Packets that might be part of a
connection under the Allow action are treated exactly the same as the very first packet. This means that
subsequent packets will generate more log entries, and they will be considered for rate-limiting
calculations.
Once a packet is Dropped, no further packet filtering rules are considered.
Note: If you enable logging for a drop rule, you should also enable rate limiting, otherwise an attacker is able
to perform a denial of service attack on the logging subsystem.
For example, due to the limited log size, it would be possible to flood the log with spoofed attempts, removing
any previous information in the log.
To enable rate limiting for this scenario, set the primary action to Drop with logging, and set the rate limited
action to Drop without logging.
• Reject - The Reject action behaves like the Drop action, but in addition to any logging and rate limiting
that might be enabled, the Reject action sends an "ICMP administratively prohibited" message in response
to every packet that is Rejected.
160 McAfee UTM Firewall 4.0.4 Administration Guide
NAT for more information about NAT and port forwarding.