2 denial of service (dos) protection, 3 firewall and access control list (acl) – Asus SL1200 User Manual

Page 76

Advertising
background image

59

Chapter 9 - Configuring Firewall/NAT Settings

ASUS SL1200

packet inspection engine. Otherwise, the packet will be dropped. This “hole”

will be closed when the connection session terminates. No configuration

is required for stateful packet inspection. It is enabled by default when the

firewall is enabled. Refer to section

11.1 Configure System Services to

enable or disable firewall service on the router.

9.1.2 Denial of Service (DoS) Protection

Both DoS protection and stateful packet inspection provide the first line of

defense for your network. No configuration is required for both protections

on your network as long as firewall is enabled for the router. By default, the

firewall is enabled in the router. Refer to section

11.1 Configure System

Services to enable or disable firewall service on the router.

9.1.3 Firewall and Access Control List (ACL)

9.1.3.1 Priority Order of ACL Rule

All ACL rules have a rule ID assigned – the smaller the rule ID, the higher

the priority. A firewall monitors the traffic by extracting header information

from the packet and then either drops or forwards the packet by looking for

a match in the ACL rule table based on the header information. The ACL

rule checking starts from the rule with the smallest rule ID until a match is

found or all the ACL rules are examined. If no match is found, the packet

is dropped. Otherwise, the packet is either dropped or forwarded based on

the action defined in the matched ACL rule.

9.1.3.2 Tracking Connection State

The stateful inspection engine in the firewall keeps track of the state, or

progress, of a network connection. By storing information about each

connection in a state table, the router is able to quickly determine if a

packet passing through the firewall belongs to an already established

connection. If it does, it is passed through the firewall without going

through ACL rule evaluation.
For example, an ACL rule allows outbound ICMP packet from 192.168.1.1

to 192.168.2.1. When 192.168.1.1 send an ICMP echo request (such as

a ping packet) to 192.168.2.1, 192.168.2.1 will send an ICMP echo reply

to 192.168.1.1. In the router, you do not need to create another inbound

ACL rule because stateful packet inspection engine will remember the

connection state and allows the ICMP echo reply to pass through the

firewall.

Advertising
Popular Brands
Popular manuals