Lancom Systems LCOS 3.50 User Manual
Page 111
̈
Chapter 8: Firewall
LANCOM Reference Manual LCOS 3.50
111
Fi
rew
a
ll
packets that do not belong to one of the tracked session of the connection
state table will be automatically discarded.
Additionally, the Stateful Inspection is able to track from the connection set
up, whether additional channels are negotiated for data exchange or not.
Some protocols like e.g. FTP (for data transfer), T.120, H.225, H.245 and
H.323 (for netmeeting or IP telephony), PPTP (for VPN tunnels) or IRC (for
chatting) signalize when establishing the connection from the LAN to the
Internet by a particular used source port whether they are negotiating further
ports with the remote station. The Stateful Inspection dynamically adds also
these additional ports into the connection state list, of course limited to the
particular source and destination addresses only.
Let’s have once again a look at the FTP download example. When starting the
FTP session, the client establishes a connection from source port '4321' to the
destination port '21' of the server. The Stateful Inspection allows this first set
up, as long as FTP is allowed from local workstations to the outside. In the
dynamic connection state table, the Firewall enters source and destination
and the respective port. Simultaneously, the Stateful Inspection can inspect
the control information, sent to port 21 of the server. These control signals
indicate that the client requires a connection of the server from its port 20 to
port 4322 of the client. The Firewall also enters these values into the dynamic
Stateful Inspection: direction- dependent checking
The filter sets of a Stateful Inspection Firewall are - contrary to classical port filter Firewalls -
dependent on their direction. Connections can only be established from source to their desti-
nation point. The other direction would require an explicit filter entry as well. Once a connec-
tion has been established, only the data packets belonging to this connection will be
transmitted - in both directions, of course. So you can block in a reliable way all traffic not
belonging to a known session, not coming from the local network.