Firewall configuration, Firewall overview, Introduction to packet-filter firewall – H3C Technologies H3C SecPath F1000-E User Manual

1

Firewall configuration

NOTE:

The packet filter function supports only the IPv6 packet filtering configurations at the CLI.

Firewall overview

A firewall can block unauthorized accesses from the Internet to a protected network while allowing

internal network users to access the Internet through, for example, WWW, or to send/receive E-mails. A

firewall can also be used to control access to the Internet, for example, to permit only specific hosts within

the organization to access the Internet. Many of today’s firewalls offer some other features, such as

identity authentication and security processing (encryption) of information.
Another application of firewall is to protect mainframes and important resources (such as data) on the
internal network. Any access to protected data must be first filtered by the firewall, even if such an access

is initiated by a user within the internal network.
The firewall mainly implements the firewall functions: Packet-filter firewall, which performs access control

list (ACL) based packet filtering

Introduction to packet-filter firewall

A packet-filter firewall implements IPv6 packet specific filtering. For each IPv6 packet to be forwarded,

the firewall first obtains the header information of the packet, including the number of the upper layer

protocol carried by the IP layer, the source address, destination address, source port number, and

destination port number of the packet. Then, it compares the obtained header information against the

preset ACL rules and processes the packet according to the comparison result.

Support for fragment filtering

The packet-filter firewall supports fragment inspection and filtering. It checks:

•

Packet type, which can be non-fragmented packet, first fragment, or non-first fragment.

•

Layer 3 information of the packet, for matching against basic ACL rules and advanced ACL rules
without information above Layer 3.

•

Upper layer Information, for matching against advanced ACL rules containing information above
Layer 3.

A session is created upon receiving the first fragment of a datagram, and is used to forward subsequent

fragments. If the first received fragment is not the first fragment, the device uses the Layer-3 information in

the fragment to match against the ACL for packet filtering. If the ACL contains information above Layer-3,
the match operation fails.