Firewall Overview; Brocade Firewall Functionality; Firewall And Fragmented Packets - Brocade Communications Systems 5600 vRouter Configuration Manual

Firewall Overview

∙
Brocade firewall functionality........................................................................................................................................................................................13
∙
Defining firewall instances..............................................................................................................................................................................................14
∙
Stateful firewall and connection tracking............................................................................................................................................................... 14
∙
TCP strict tracking.............................................................................................................................................................................................................. 15
∙
Applying firewall instances to interfaces................................................................................................................................................................ 16
∙
Interaction between firewall, NAT, and routing................................................................................................................................................... 16
∙
Zone-based firewall............................................................................................................................................................................................................17
∙
Control plane policing.......................................................................................................................................................................................................19

Brocade firewall functionality

Firewall functionality analyzes and filters IP packets between network interfaces. The most common application of functionality is to
protect traffic between an internal network and the Internet. It allows you to filter packets based on their characteristics and perform
actions on packets that match the rule. The Brocade vRouter firewall functionality provides the following features:
∙
Packet filtering for traffic that traverses the router by using the in and out keywords on an interface
∙
Definable criteria for packet-matching rules, including source IP address, destination IP address, source port, destination port,
IP protocol, and Internet Control Message Protocol (ICMP) type
∙
General detection on IP options, such as source routing and broadcast packets
∙
Ability to set the firewall globally for stateful or stateless operation
The vRouter firewall offers both IPv4 and IPv6 stateful packet inspection to intercept and inspect network activity and to allow or deny
the attempt. The advanced firewall capabilities from the vRouter include stateful failover.
Firewall cannot be applied to outbound local traffic. It can only be applied to inbound interface traffic and forwarded outbound traffic.

Firewall and fragmented packets

As per RFC 6192, fragments destined to the local CPU are dropped by the data plane. To avoid having allowed CPU-bound fragments
from being dropped, a firewall rule must be configured to allow them through the interface so that the fragments can be reassembled.
If neither firewall nor NAT is configured, packet fragments are not inspected and are forwarded unchanged. However, in accordance with
RFC 6192, any fragments that are destined to a router local address are dropped.
An input firewall allows fragments to be reassembled. For both IPv4 and IPv6, if the packets arrive on an interface for which firewall is
configured, the fragments are reassembled at input before passing to the firewall. If all the fragments of a packet are not received, then
the packet is dropped. The reassembled packet passes through the remainder of the forwarding path and firewall does not recognize
fragments at either input or output. At output, the packet is refragmented, if necessary. This behavior also applies to a packet arriving on
an interface that is assigned to a firewall zone.
When fragmented packets arrive on an interface without a firewall configured and exits on an interface with an output firewall configured,
the fragmented packets are not inspected for L4 (TCP, UDP, ICMP, or GRE) information; however, the firewall rules recognize them as
fragments. Because the system does not process L4 information, a session for this packet is not found or created. Therefore, any return
packets that are associated with this fragment flow cannot match a session and, when in the stateful state, might be dropped.
RSVP packets are sent hop-by-hop and since they can be large, they would benefit from being fragmented. The following commands
can ensure that an RSVP is responded to.
vyatta@R1# set security firewall name RSVP rule 10 action accept
vyatta@R1# set security firewall name RSVP rule 10 protocol rsvp
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01 13