beautypg.com

Section 31.1.3 – Westermo RedFox Series User Manual

Page 693

background image

Westermo OS Management Guide

Version 4.17.0-0

3. Drop invalid: If the stateful packet inspection (SPI) setting has been en-

abled, packets of invalid state will be dropped. (See

section 31.1.2

for more

information on what the SPI setting does.)

4. VPN Rules: If the WeOS unit is configured as VPN gateway, rules to ac-

cept traffic between the local and remote subnets specified in the respec-
tive IPsec tunnel definitions are added to the forward filter. The reason for
adding the implicit IPsec allow filter rules early in the evaluation order is to
improve routing performance of VPN traffic. (In case you wish to limit the
traffic to pass through the IPsec tunnel further, the recommendation is to
update the IPsec tunnel definitions of local and remote subnet accordingly,
see

section 35.1.1

.)

5. Configured Packet Filter Rules: Then the configured packet filter rules are in-

serted, i.e., the configurable allow/deny rules described here in

section 31.1.2

.

The relative order of these packet filter rules is configurable.

6. NAT and Port Forwarding Rules: As described in

section 31.1.2

implicit allow

filter rules are added for every configured port forwarding rule.

This is also true for NAT rules, however, here the user can choose whether
the associated rule should be created or not (see

sections 31.1.4.1

and

31.1.4.2.3

). The internal order of the NAT rules can be changed, which also

affects the order in which the associated filter rules are inserted in the for-
warding filter chain.

7. Default Policy: Packets not matching any of the rules above will be handled

according the default policy for the forwarding filter chain.

31.1.3

Packet modification

WeOS supports modification of packets that are routed through the router/firewall.
In the firewall overview,

fig. 31.1

in

section 31.1.2

, you can see that the modifi-

cation is performed just before the forward filtering. Current limitations are that
you can only modify the DSCP field of the IP header, and that modification is only
possible for forwarded traffic, not for inbound or outbound local traffic.

Packet modification is specified as rules, similar to filters, and they are evaluated
in the same order as they are listed. Opposite to filters (

section 31.1.2

), packet

modification rules are non-terminating. This means that every rule will be evalu-
ated for packets passing through, and packets may be modified more than once
on its way through the modifier step.

➞ 2015 Westermo Teleindustri AB

693

This manual is related to the following products:
See also other documents in the category Westermo Equipment: