How the firewall inspects data packets

From the entire data stream passing through the IP router, the firewall filters out all data packets that have been targeted for special treatment.





The firewall only inspects the data packets that are routed by the IP router in the device. In general, these are data packets being exchanged between the internal networks (LAN, WLAN, DMZ) and the "outside world" via one of the WAN interfaces. Communication between the LAN and WLAN is not usually handled by the router, assuming that the LAN bridge allows a direct exchange. Thus the firewall rules do not apply here. The same applies to the so-called "internal services" such as Telnet, TFTP, SNMP and the web server for configuration via WEBconfig. The data packets for these services do not travel through the router and are therefore not affected by the firewall.

Note: As it is located behind the masquerading module (as seen from the WAN), the firewall works with the "real" internal IP addresses of the LAN stations and not with the external Internet address of the device.

The firewall in the device inspects the data packets using a number of lists, which are generated automatically from the firewall rules, the firewall actions triggered by them, or the active data connections:

When a data packet is to be routed via the IP router, the firewall uses the lists as follows:

  1. The first check is, whether the packet has arrived from a workstation that is in the host block list. If the sender is blocked, the packet is dropped.
  2. If the sender is not blocked, the port block list is checked to see whether the port/protocol combination used on the target computer is closed. In this case these packet is dropped.
  3. If the sender and the destination are not blocked in the first two lists, a check is made as to whether this connection is entered in the connection list. If an entry exists, then the packet is treated as is noted in the list.
  4. If no entry is found for the packet, the filter list is scanned for a suitable entry and the action indicated there is performed. If the action indicates that the packet is to be accepted, an entry is made in the connection list and any further actions are noted there.




Important: If there is no explicit firewall rule for a data packet, the packet is accepted (allow all). This ensures backwards compatibility with existing installations. To maximize protection by stateful inspection, please refer to the section Establishing an explicit "deny-all" strategy.

The four lists obtain their information as follows:

All lists used by the firewall to inspect the data packets are therefore ultimately based on the firewall rules (Parameters of the firewall rules).

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo