Sections 31.1.2, 2 packet filtering – Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

firewall must inspect the FTP control connection to learn which connections to let
through. To make the firewall handle such protocols correctly, protocol specific
ALG helpers can be enabled. As of WeOS v4.17.0 ALG helpers for FTP, TFTP, SIP,
IRC, H323 and PPTP are supported. ALG helpers have some impact on the unit’s
routing performance, thus are by default disabled.

31.1.2

Packet Filtering

INPUT

FILTERING

NETWORK

Packet
Filtering

Packet
Modification

Port
Forwarding

FILTERING

FORWARD

NETWORK

POSTROUTING

OUTPUT

FILTERING

MODIFICATION

FORWARD

PREROUTING

To Switch

(HTTP, SSH, SNMP, ...)

1−1 NAT

(HTTP, SSH, SNMP, ...)

From Switch

NAPT

Figure 31.1: Overview of Firewall mechanism. Thick lines represent packet flows.

Fig. 31.1

presents an overview of the firewall mechanism, including the compo-

nents for packet filtering, packet modification, NAT, and port forwarding.

The following sections provide a more in-depth description of the WeOS packet
filtering functions.

❼ Filtering chains (input, forward, output): Filter rules can apply to

– traffic destined to the switch (input filtering), e.g., HTTP traffic to man-

age the switch,

– traffic forwarded/routed by the switch (forward filtering), or

– traffic generated by the switch (output filtering).

➞ 2015 Westermo Teleindustri AB

685