Firewall processing sequence, Firewall processing sequence -39 – Carrier Access Multi-Service Router (MSR) Card MSR/Adit 3K GUI User Manual
Page 193
Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) GUI
4-39
Security
Firewall Implementation
Firewall Processing Sequence
This section details the sequence of processing that is used by the firewall when examining packets.
This detail can help an experienced user better understand the order of application of each of the various
security settings. The order processing is separately described for both inbound processing and
outbound processing at an interface that has firewall and/or NAPT enabled. Note that if the interface is
set for route mode with the firewall disabled, none of the packets are examined or translated either
inbound or outbound at that interface boundary.
Inbound Firewall Processing
The following table describes the sequence of examination of packets arriving at the interface. This
firewall processing is applied after the layer 2 driver and before passing the inbound packet up to
the IP stack. If the action for matching packets at a particular step is described as PASS, no further
firewall examination is applied and the packet is passed up to the IP stack. If the action is described
as DROP, the packet is dropped and not passed up to the stack. Packets that do not match the criteria
at that step continue processing at the next step. Packets that are passed by the firewall and require
NAPT translation are translated before passing the packet up to the IP stack.
Step
Test
Action
1
Insecure IP options: loose source route, strict source route, record route, time
stamp, or invalid IP option
DROP
2
Invalid IP fragments
DROP
3
Match existing sessions: this matches ongoing sessions and applies NAPT
where appropriate.
PASS
4
Packets generated by the firewall itself; e.g. TCP RST packets.
PASS
5
User configured Advanced Filtering/Input Rule Sets/Initial Rules
as per filter
6
User configured Advanced Filtering/Input Rule Sets/Interface Specific Rules
as per filter
7
Standard Inbound Security:
- ICMP to broadcast address
- ICMP Redirect from the WAN
- Source of destination IP address in loopback subnet
- Source address from external host is Adit IP address
- IP address spoofed (source address from one interface in other
interface subnet)
- Source IP address is broadcast, multicast, or experimental
- Echo, Chargen, Snork, or Quote DoS (src port 7, 17, or 19; or src &
dst port 135)
DROP
8
User configured Local Server
PASS (NAPT)
9
To Adit IP address & user configured Remote Management
PASS
10
SIP and RTP local ports
PASS
11
Active IPSEC tunnel
PASS
12
TCP Auth/Ident protocol (to TCP port 113)
DROP
13
To Adit IP address & user configured DMZ Host
PASS (NAPT)
14
Packet between DMZ interface and WAN interface
PASS
15
User configured Advanced Filtering/Input Rule Sets/Final Rules
as per filter
last
Take default action based on user configured General Security Policy:
Maximum Security
Typical Security
Minimum Security
DROP
DROP
PASS