Section 31.1.2.3 – Westermo RedFox Series User Manual

Page 690

Advertising
background image

Westermo OS Management Guide

Version 4.17.0-0

Destination (UDP/TCP) Port: When protocol is specified as UDP or TCP, the

filter can match on the associated UDP/TCP port number(s).

As described in

section 31.1.2.1

the filter setting for ”outbound interface” and

”destination IP Address/subnet” implicitly controls whether the rule will apply to
the input filter or forwarding filter.

An incoming packet will be processed according to the rules defined for input filter
when the packet is destined to the switch, or the rules defined for the forwarding
filter when the packet is being routed through the switch. The list of rules is
searched (in order) until a match is found; if no matching rule is found, the packet
is treated according default policy of the chain.

For more information on the rule evaluation order in the input filter and forward
filter, see

section 31.1.2.3

.

31.1.2.3

Rule Evaluation Order in Input and Forward Filters

When the firewall is enabled, incoming packets are subject to input filtering or
forward filtering depending if the packet is destined to the switch itself, or if it
should be routed to another network. Once the packet has been classified for the
input or output filter chain, the list of that chain is traversed to find a matching
rule. If a match is found, the packet will either be accepted or dropped depending
on the type of matching rule (allow or deny). If no matching rule is found, the
packet will be handled according to the default policy of the chain.

The filter rules are inserted in the list in a certain order; the same order as the
packet matching evaluation is conducted. To view the current input and forward
filter evaluation lists, use the command ”show firewall” (see

section 31.3.13

)

from the Admin Exec context. The order in which rules are inserted in the input
and forward filters is described below.

31.1.2.3.1

Input Filter

1. Established/Related: Packets part of (or related) to established connections

will be accepted. This rule is inserted first for performance reasons - the
majority of all accepted packets will match this rule.

2. Drop invalid: If the stateful packet inspection (SPI) setting has been en-

abled, packets of invalid state will be dropped. (See

section 31.1.2

for more

information on what the SPI setting does.)

690

➞ 2015 Westermo Teleindustri AB

Advertising
This manual is related to the following products:

Wolverine Series, Falcon Series, Viper Series

Popular Brands
Popular manuals