Carrier Access Multi-Service Router (MSR) Card MSR/Adit 3K GUI User Manual

4-40

Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) GUI

Security

Firewall Implementation

Outbound Firewall Processing

The following table describes the sequence of examination of packets departing from the interface.
This firewall processing is applied after the IP stack and before passing the outbound packet down
to the layer 2 driver. If the action for matching packets at a particular step is described as PASS, no
further firewall examination is applied and the packet is passed down to the driver. If the action is
described as DROP, the packet is dropped and not passed down to the driver. Packets that do not
match the criteria at that step continue processing at the next step. Packets that are passed by the
firewall and require NAPT translation are translated before passing the packet down to the driver.

Step

Test

Action

1

Insecure IP options: loose source route, strict source route, record route, time
stamp, or invalid IP option

DROP

2

Invalid IP fragments

DROP

3

Match existing sessions: this matches ongoing sessions and applies NAPT
where appropriate.

PASS

4

Packets generated by the firewall itself; e.g. TCP RST packets.

PASS

5

User configured Advanced Filtering/Output Rule Sets/Initial Rules

as per filter

6

User configured Advanced Filtering/Output Rule Sets/Interface Specific Rules as per filter

10

SIP and RTP local ports

PASS

11

User configured Access Control (based on source)

DROP

12

User configured IP/Hostname Filtering (based on destination)

DROP

13

TCP Auth requests (TCP source port 113)

PASS

14

Packet between DMZ interface and WAN interface

PASS

15

User configured Advanced Filtering/Output Rule Sets/Final Rules

as per filter

last

Take default action based on user configured General Security Policy:

Maximum Security DROP

Typical Security PASS

Minimum Security PASS