1 stateful inspection process – ZyXEL Communications ZYWALL10 User Manual

ZyWALL 10 Internet Security Gateway

What Is a Firewall?

13-7

!

Denies all sessions originating from the WAN (Internet) to the LAN (local network).

Figure 13-5 Stateful Inspection

The previous figure shows the ZyWALL’s default firewall rules in action as well as demonstrates how
stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this
request are allowed. However other Telnet traffic initiated from the WAN is blocked.

13.4.1 Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN network
through the firewall's WAN interface. The TCP packet is the first in a session, and the packet's application
layer protocol is configured for a firewall rule inspection:

1. The packet travels from the firewall's LAN to the WAN.
2. The packet is evaluated against the interface's existing outbound access list, and the packet is

permitted (a denied packet would simply be dropped at this point).

3. The packet is inspected by a firewall rule to determine and record information about the state of the

packet's connection. This information is recorded in a new state table entry created for the new
connection. If there is not a firewall rule for this packet and it is not an attack, then The default
action for packets not matching following rules field (see Figure 16-3) determines the action for
this packet.

4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is

inserted at the beginning of the WAN interface's inbound extended access list. This temporary
access list entry is designed to permit inbound packets of the same connection as the outbound
packet just inspected.

5. The outbound packet is forwarded out the interface.