Section 31.1.2.1 – Westermo RedFox Series User Manual

Page 688

Advertising
background image

Westermo OS Management Guide

Version 4.17.0-0

helper functions can be enabled to provide connection tracking of more
complex protocols, such as FTP and SIP.

For performance reasons, packets of related/established connections
are evaluated early in the filter chains, thus cannot be overridden by
filter rules configured by the user.

Stateful Packet Inspection (ability to drop packet of invalid state): It

is also possible to fine-tune the connection tracking behaviour to drop
packets of invalid

1

state – this is done by enabling the stateful packet

inspection (SPI) setting. In some situations that can be considered as
a security enhancement, however, it may cause problems in topologies
with asymmetric routing and is therefore disabled by default.

Default filter rules: Packets not matching any filter rule will be handled

according to the default filter policy. The default filter policy for the input
filter and forwarding filter chains are configurable, see

section 31.1.2.1

.

31.1.2.1

Filtering chains (input, forward, output)

Fig. 31.1

presents an overview of the firewall mechanism including the filtering

chains (input, forward and output). Packets are treated differently if they:

are destined to the switch: Examples include HTTP/HTTPS, SSH, Telnet, and

SNMP traffic used to manage the switch remotely, and ICMP (Ping) traffic to
check if the switch is up or not. Such packets are subject to pre-routing and
input filtering firewall mechanisms.

originate from switch: This includes the same examples as above (HTTP/HTTPS,

SSH, Telnet, SNMP, ICMP, etc.) with the difference that this is the packets
from the switch instead of the packets to the switch. Such packets are sub-
ject to output filtering and post-routing firewall mechanisms, however WeOS
does not include primitives to control output filtering.

are routed via the switch: This includes traffic that is not destined for the

switch or originate from the switch. Such packets are subject to pre-routing,
forward filtering and post-routing firewall mechanisms.

As of WeOS v4.17.0, the selection of filter chain for configured filter rules is implic-
itly derived from the ”outbound interface” and ”destination IP Address/subnet”

1

An example of a packet with an ”invalid” state is when a firewall sees a TCP ”SYN+ACK”, without

having seen the preceding TCP ”SYN” in the other direction.

688

➞ 2015 Westermo Teleindustri AB

Advertising
This manual is related to the following products:

Wolverine Series, Falcon Series, Viper Series

Popular Brands
Popular manuals