Section 31.1.3 – Westermo RedFox Series User Manual
Page 693
Westermo OS Management Guide
Version 4.17.0-0
3. Drop invalid: If the stateful packet inspection (SPI) setting has been en-
abled, packets of invalid state will be dropped. (See
for more
information on what the SPI setting does.)
4. VPN Rules: If the WeOS unit is configured as VPN gateway, rules to ac-
cept traffic between the local and remote subnets specified in the respec-
tive IPsec tunnel definitions are added to the forward filter. The reason for
adding the implicit IPsec allow filter rules early in the evaluation order is to
improve routing performance of VPN traffic. (In case you wish to limit the
traffic to pass through the IPsec tunnel further, the recommendation is to
update the IPsec tunnel definitions of local and remote subnet accordingly,
see
5. Configured Packet Filter Rules: Then the configured packet filter rules are in-
serted, i.e., the configurable allow/deny rules described here in
The relative order of these packet filter rules is configurable.
6. NAT and Port Forwarding Rules: As described in
implicit allow
filter rules are added for every configured port forwarding rule.
This is also true for NAT rules, however, here the user can choose whether
the associated rule should be created or not (see
and
). The internal order of the NAT rules can be changed, which also
affects the order in which the associated filter rules are inserted in the for-
warding filter chain.
7. Default Policy: Packets not matching any of the rules above will be handled
according the default policy for the forwarding filter chain.
31.1.3
Packet modification
WeOS supports modification of packets that are routed through the router/firewall.
In the firewall overview,
in
, you can see that the modifi-
cation is performed just before the forward filtering. Current limitations are that
you can only modify the DSCP field of the IP header, and that modification is only
possible for forwarded traffic, not for inbound or outbound local traffic.
Packet modification is specified as rules, similar to filters, and they are evaluated
in the same order as they are listed. Opposite to filters (
), packet
modification rules are non-terminating. This means that every rule will be evalu-
ated for packets passing through, and packets may be modified more than once
on its way through the modifier step.
➞ 2015 Westermo Teleindustri AB
693