4.7.1 IP Filter 29
Firewall policies
A Firewall policy is the name of the rule that applies to a data path between two classes of security
interface. You can add different address validator and filter rules to each policy in order to provide different
levels of security to the inside networks attached to the router. For example, if your DMZ (DeMilitarited
Zone) contains an FTP server that can be accessed by external hosts, the rules between the dmz and
external security interfaces will be less stringent than those between the internal and external security
interfaces. Policies exist by default:
between the external interface and the internal interface
between the external interface and the DMZ interface
between the DMZ interface and the internal interface
Policies are set to block only the IP addresses specified in validator rules. If you have configured your
router and created security interfaces, the data paths between each of the router’s security interfaces look
like this:
Figure 4-29: Firewall policies between security interfaces
You can use the default, pre-configured Firewall policies, add new policies, and delete policies.
Port Filters
A Port Filter is a rule that determines how the Firewall should handle packets being transported on a policy
between two security interfaces. You can create separate filter rules based on:
the protocol type of the traffic allowed to be transported
which TCP/UDP port numbers the packets are allowed to be transported on
the name of the well-known protocol, service or application allowed to be transported
source and destination addresses
Whichever type of filter rule you use, you must also determine which direction packets should be allowed
to travel in:
inbound; permitted traffic is transported from the outside interface to the inside interface
outbound; permitted traffic is transported from the inside interface to the outside interface
both; inbound and outbound rules apply
Note: If you create a filter and you want to change the direction that packets are allowed
to travel in, you must delete the original filter and create another.
dmz-external
dmz interface
(ipdmz)
internal interface
(iplan)
external interface
(ipwan)
i
n
t
e
r
n
a
l
-
e
x
t
e
r
n
a
l
d
m
z
-
i
n
t
e
r
n
a
l
Firewall
i
To Next Page
Loading...
