Policies - Funkwerk W1002 Manual

15 Firewall
276
NAT
One of the basic functions of NAT is the translation of the local IP addresses of your LAN
into the global IP addresses you are assigned by your ISP and vice versa. All connections
initiated externally are first blocked, i.e. every packet your device cannot assign to an exist-
ing connection is rejected. This means that a connection can only be set up from inside to
outside. Without explicit permission, NAT rejects every access from the WAN to the LAN.
IP Access Lists
Here packets are permitted or rejected exclusively on the basis of the criteria listed above,
i.e. the state of the connection is not considered (except where Services = tcp).
SIF
The SIF sorts out all packets that are not explicitly or implicitly allowed. The result can be a
"deny", in which case no error message is sent to the sender of the rejected packet, or a
"reject", where the sender is informed of the packet rejection.
The incoming packets are processed as follows:
• The SIF first checks if an incoming packet can be assigned to an existing connection. If
so, it is forwarded. If the packet cannot be assigned to an existing connection, a check is
made to see if a suitable connection is expected (e.g. as affiliated connection of an exist-
ing connection). If so, the packet is also accepted.
• If the packet cannot be assigned to any existing or expected connection, the SIF filter
rules are applied: If a deny rule matches the packet, the packet is rejected without send-
ing an error message to the sender of the packet; if a reject rule matches, the packet is
rejected and an ICMP Host Unreachable message sent to the sender of the packet. The
packet is only forwarded if an accept rule matches.
• All packets without matching rules are rejected without sending an error message to the
sender when all the existing rules have been checked (=default behaviour).

15.1 Policies

Funkwerk Enterprise Communications GmbH
bintec W1002/W1002n/W2002/WIx040/WIx065