Westermo RedFox Series User Manual
Page 694
Westermo OS Management Guide
Version 4.17.0-0
31.1.3.1
Performance considerations
The packet filtering mechanism utilises the connection tracking mechanism to
optimise handling for already established sessions, while packet modification
rules can not use this connection tracking benefit. The modification rules will
be evaluated for every single forwarded packet passing the router/firewall, which
means that modification rules have a much bigger performance impact than fil-
tering rules.
As using modifier rules decreases the total routing throughput of the router/firewall,
you should use this feature with care and avoid adding unnecessary rules.
31.1.3.2
Packet modification matching
Much like packet filters, modification rules can have match parameters defining
what traffic the rules apply to. The matching parameters are optional – if skipped
the modifier rule runs for ALL packets.
These are the matching parameters that can be used:
❼ Inbound Interface: The interface where the packet comes in.
❼ Outbound Interface: The interface where the packet is sent out.
❼ Source IP Address/Subnet: The source IP address of the packet. This can be
specified as a single IP address, or the rule could match a whole IP subnet.
❼ Destination IP Address/Subnet: The destination IP address of the packet.
This can be specified as a single IP address, or the rule could match a whole
IP subnet.
❼ Protocol: The protocol type of the IP payload. Typically TCP or UDP, but the
filtering can also be made to match other protocols such as ICMP and ESP
❼ Destination (UDP/TCP) Port: When protocol is specified as UDP or TCP, the
filter can match on the associated UDP/TCP port number(s).
4
See
for a list of defined IP protocols.
694
➞ 2015 Westermo Teleindustri AB