Stateful Inspection Process; Figure 13-5 Stateful Inspection - ZyXEL Communications ZyWALL 10 User Manual

Deny all sessions originating from the WAN (Internet) to the LAN (local network)
Figure 13-5 shows the ZyWALL's default firewall rules in action as well as demonstrates how stateful
inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are
allowed. However other Telnet traffic initiated from the WAN is not allowed.

13.4.1 Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN network
through the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application
layer protocol is configured for a firewall rule inspection:
1. The packet travels from the firewall's LAN to the WAN.
2. The packet is evaluated against the interface's existing outbound access list, and the packet is
permitted (a denied packet would simply be dropped at this point).
3. The packet is inspected by a firewall rule to determine and record information about the state of the
packet's connection. This information is recorded in a new state table entry created for the new
connection. If there is not a firewall rule for this packet and it is not an attack, then "The default
action for packets not matching following rules " field (see Figure 16-3) determines the action for
this packet.
4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is
inserted at the beginning of the WAN interface's inbound extended access list. This temporary
access list entry is designed to permit inbound packets of the same connection as the outbound
packet just inspected.
5. The outbound packet is forwarded out the interface.
What Is a Firewall?

Figure 13-5 Stateful Inspection

ZyWALL 10 Internet Security Gateway
13-7