Westermo RedFox Series User Manual
Page 686
Westermo OS Management Guide
Version 4.17.0-0
The WeOS firewall supports input and forward filtering, but not output fil-
tering.
gives more details on WeOS handling of filtering
chains.
❼ Configurable allow/deny filter rules: The user can define filter rules to spec-
ify traffic to be allowed or denied, and the order of the configured rules.
Incoming packets are evaluated against the filter rules – the first matching
rule will decide how to treat the packet (allow or deny).
describes packet matching parameters for filter rules, and
provides more information on filter evaluation order (both for configured
filter rules and implicit filter rules described below).
Default rules to allow ”ping”
When enabling the firewall, the user is offered to add a set of default
rules - these rules allow ICMP packet to pass the input filter, thereby
enabling operators to ping the unit after enabling the firewall. These
rules are treated as any other configured rule, thus can be removed,
etc.
❼ Implicit filter rules: The WeOS firewall implicitly adds firewall rules for ser-
vices enabled on the unit, e.g., for DHCP, OSPF or DNS. The primary purpose
of this is to simplify management of those services when the firewall is en-
abled. With a few exceptions, these implicit rules are evaluated after the
configured rules (see above), thus, a user could override or complement the
implicit rules by configuring additional filter rules. Below is a list of services
associated with implicit filter rules.
– IPsec VPN:
✯ IPsec signalling and data encapsulation: If at least one IPsec tunnel
is enabled, rules are implicitly added to allow IP protocol 50 (ESP),
and UDP port 4500 (IKE/ESP for NAT traversal) to enter the unit on
all interfaces.
✯ Allowing data to pass through tunnels: For every IPsec VPN tunnel
(see
) filter rules are implicitly added to the forward filter
to allow between the local subnet and remote subnet defined for
the VPN tunnel.
As of WeOS v4.17.0, the implicit IPsec VPN rules are added before
the configured filter rules (for performance reasons). Thus, the implicit
IPsec VPN rules can not be overridden by rules configured by the user.
686
➞ 2015 Westermo Teleindustri AB