Defining Firewall Instances; Firewall Rules; Implicit Action; Exclusion Rules - Brocade Communications Systems 5600 vRouter Configuration Manual

Defining firewall instances

Firewalls filter packets on interfaces. Use of the firewall feature has two steps:
1. Define a firewall instance and save it under a name. A firewall instance is also called a firewall rule set, where a rule set is just a
series of firewall rules. You define the firewall instance and configure the rules in its rule set in the firewall configuration node.
2. Apply the instance to an interface or a zone by configuring the interface configuration node for the interface or zone. After the
instance is applied to the interface or zone, the rules in the instance begin filtering packets on that location.

Firewall rules

Firewall rules specify the match conditions for traffic and the action to be taken if the match conditions are satisfied. Traffic can be
matched on a number of characteristics, including source IP address, destination IP address, source port, destination port, IP protocol,
and ICMP type.
Rules are executed in numeric sequence, according to the rule number, from lowest to highest. If the traffic matches the characteristics
specified by a rule, the action of the rule is executed; if not, the system "falls through" to the next rule.
The action can be one of the following:
∙
Accept: Traffic is allowed and forwarded.
∙
Drop: Traffic is silently discarded.
To avoid having to renumber firewall rules, a good practice is to number rules in increments of 10. This increment allows room for the
insertion of new rules within the rule set.

Implicit Action

All firewall rule sets on the vRouter have, by default, an implicit final action of "pass all"; that is, traffic not matching any rule in the rule set
is passed. When firewall rules are present the implicit action can be automatically modified so as to allow the 'return traffic' to PASS
rather than DROP. The firewall rules have no effect on the implicit action as the firewall rules are ineffective in those instances. This
default action can be changed by using
rule to a named group of rules, and prevents any implicit action from being performed.

Exclusion rules

Note that you should take care in employing more than one "exclusion" rule, that is, a rule that uses the negation operator (exclamation
mark [!]) to exclude a rule from treatment. Rules are evaluated sequentially, and a sequence of exclusion rules could result in unexpected
behavior.

Stateful firewall and connection tracking

The vRouter CLI interacts with the Connection Tracking System, a module that provides connection tracking for various system
functions, such as firewall and Network Address Translation (NAT). On the firewall, connection tracking allows for stateful packet
inspection.
Stateless firewalls filter packets in isolation, is based on static source and destination information. In contrast, stateful firewalls track the
state of network connections and traffic flows and allow or restrict traffic based on whether its connection state is known and authorized.
For example, when an initiation flow is allowed in one direction, the responder flow is automatically and implicitly allowed in the return
direction. While typically slower under heavy load than stateless firewalls, stateful firewalls are better at blocking unauthorized
communication.
14
security firewall name <name> default-action <action>
Firewall Overview
on page 53, it appends a hidden explicit
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01