Firewall
262
8.3
The BAT Firewall
BAT54-Rail/F..
Release
7.54
06/08
Note: If no explicit Firewall rule exists for a data packet, the packet will be
accepted (’Allow-All’). That grants a backward-compatibility for existing
installations. For maximum protection by the Stateful Inspection, please
note the section ’Set-up of an explicit "Deny All" strategy’ → page 283.
The four lists obtain their information as follows:
D In the host block list are all those stations listed, which are blocked for a
certain time because of a Firewall action. The list is dynamic, new entries
can be added continuously with appropriate actions of the Firewall. En-
tries automatically disappear after exceeding the timeout.
D In the port block list those protocols and services are filed, which are
blocked for a certain time because of a Firewall action. This list is likewise
a dynamic one, new entries can be added continuously with the appropri-
ate Firewall actions. Entries automatically disappear after exceeding the
timeout.
D For each established connection an entry is made in the connection list,
if the checked packet has been accepted by the filter list. In the connec-
tion list is noted from which source to which destination, over which pro-
tocol and which port a connection is actually allowed. The list contains in
addition, how long an entry will stay in the list and which Firewall rule is
responsible for the entry. This list is very dynamic and permanently “mov-
ing”.
D The filter list is made of the Firewall rules. The containing filters are static
and only changed when Firewall rules are added, edited or deleted.
Thus all lists, which are consulted by the Firewall to check data packets, fi-
nally base on the Firewall rules (’Parameters of Firewall rules’ → page 268).
8.3.2 Special protocols
One important point during the connection tracking is the treatment of proto-
cols that dynamically negotiate ports and/or addresses, over which further
communication is done. Examples of these kinds of protocols are FTP, H.323
or also many UDP-based protocols. Thereby it is necessary that further con-
nections must be opened, additionally to the first connection. See also ’Dif-
ferent types of Firewalls’ → page 253.
To Next Page
Loading...
Need help?
General
