Firewall processing sequence, Firewall processing sequence -39 – Carrier Access Multi-Service Router (MSR) Card MSR/Adit 3K GUI User Manual

Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) GUI

4-39

Security

Firewall Implementation

Firewall Processing Sequence

This section details the sequence of processing that is used by the firewall when examining packets.
This detail can help an experienced user better understand the order of application of each of the various
security settings. The order processing is separately described for both inbound processing and
outbound processing at an interface that has firewall and/or NAPT enabled. Note that if the interface is
set for route mode with the firewall disabled, none of the packets are examined or translated either
inbound or outbound at that interface boundary.

Inbound Firewall Processing

The following table describes the sequence of examination of packets arriving at the interface. This
firewall processing is applied after the layer 2 driver and before passing the inbound packet up to
the IP stack. If the action for matching packets at a particular step is described as PASS, no further
firewall examination is applied and the packet is passed up to the IP stack. If the action is described
as DROP, the packet is dropped and not passed up to the stack. Packets that do not match the criteria
at that step continue processing at the next step. Packets that are passed by the firewall and require
NAPT translation are translated before passing the packet up to the IP stack.

Step

Test

Action

1

Insecure IP options: loose source route, strict source route, record route, time
stamp, or invalid IP option

DROP

2

Invalid IP fragments

DROP

3

Match existing sessions: this matches ongoing sessions and applies NAPT
where appropriate.

PASS

4

Packets generated by the firewall itself; e.g. TCP RST packets.

PASS

5

User configured Advanced Filtering/Input Rule Sets/Initial Rules

as per filter

6

User configured Advanced Filtering/Input Rule Sets/Interface Specific Rules

as per filter

7

Standard Inbound Security:
- ICMP to broadcast address
- ICMP Redirect from the WAN
- Source of destination IP address in loopback subnet
- Source address from external host is Adit IP address
- IP address spoofed (source address from one interface in other
interface subnet)
- Source IP address is broadcast, multicast, or experimental
- Echo, Chargen, Snork, or Quote DoS (src port 7, 17, or 19; or src &
dst port 135)

DROP

8

User configured Local Server

PASS (NAPT)

9

To Adit IP address & user configured Remote Management

PASS

10

SIP and RTP local ports

PASS

11

Active IPSEC tunnel

PASS

12

TCP Auth/Ident protocol (to TCP port 113)

DROP

13

To Adit IP address & user configured DMZ Host

PASS (NAPT)

14

Packet between DMZ interface and WAN interface

PASS

15

User configured Advanced Filtering/Input Rule Sets/Final Rules

as per filter

last

Take default action based on user configured General Security Policy:

Maximum Security

Typical Security

Minimum Security

DROP
DROP
PASS