How Firewall Filter Rules Work

This article explains how the firewall filter rules work on Vigor Router.

IP Filter

When a packet traverses the router from one interface to another, it will first be checked by the active firewall filter rules with the smallest index number.
The filter rule first checks if the header information meets the filtering condition in that rule, including direction, source IP, destination IP, and service type. If it does, the action selected in Filter Action will be applied. If it doesn't, it will take no action and pass the packet to the next active filter rule.
The next filter rule will do the same checking on the header information. Until finally, if the packet matches none of the filtering conditions in all filter rules, the default rule and action will be applied.

Filter Action: Block Immediately

The router will discard the packet right away. No other filter rules will apply to the packet.

Filter Action: Pass Immediately

The router accepts the packets, and no other filter rules will apply to it. However, if the filter rule has CSM profile selected, such as APPE, URL Content Filter, Web Content Filter, and DNS Filter, those profiles might still discard the packet base on its content.

Below is an example of how the filter rules work on an outgoing packet.

an illustration of firewall process
Filter Action: Block If No Further Match

The router will hold the packet first. It will pass the packet to the next filter rule and see if it meets the filtering conditions of that rule. If it does, it will take the action of that filter rule. If it doesn't, it will pass to the next filter rule. Until finally, if there are no other rules with the filtering condition that applies to the packet, it will discard the packet.

Filter Action: Pass If No Further Match

The router will hold the packet first. It will pass the packet to the next filter rule and see if it meets the filtering conditions of it. If it does, it will take the action of that filter rule. If it doesn't, it will pass to the next filter rule. Until finally, if there are no other rules with the filtering condition that applies to the packet, it will accept the packet. However, if the filter rule has CSM profile selected, those profiles might still discard the packet base on its content.

Below is an example of how the filter rules work on an outgoing packet with Pass/Block If No Further Match.

an illustration of firewall process with if no further match

Content Filtering (CSM)

URL Filter

URL Filter will check the HTTP packets and find out the URL that the LAN client is requesting. Network Administrator may set up URL Filter to block or pass the HTTP traffic that contains specific keywords in the URL, thus to control the access to those websites.

Web Content Filter (WCF)

If you would like to prevent the LAN clients from browsing a certain category of websites (e.g., all the social networking websites), it might be a lot of work to list all of the URLs to block. This is when Web Content Filter(WCF) can be helpful. By using the URL categorization service from a CYREN or BPjM (both are license-required), the router can categorize all the websites into social networking, shopping, news, and more. Network Administrator may choose to block or pass a specific category and control the access to all the websites that fall into the class without specifying them.

DNS Filter

DNS filter is an extension of URL Filter and Web Content Filter. If the webserver is using HTTPS and the traffic are encrypted, the router may not be able to check the contents in those packets. However, by tracing the DNS queries sent by the LAN clients, we may still find out which websites the LAN clients are trying to access. DNS Filter allows Network Administrator to block or pass the DNS queries that contain specific keywords, thus to control the access to HTTPS websites.

APP Enforcement (APPE)

Except for the websites, by tracing the packet patterns, Vigor Router can also recognize the applications that the LAN clients are using. APP Enforcement provides the most common applications for the Network Administrator to filter out for the LAN clients.

When receiving a packet, the router will check the IP Filters to see if the packet matches any Filter Rules. If the packet matches more than one filter rule, the one created earlier will be applied. If the packet doesn't match any Filter Rule in IP Filter, it will move on to Application Filter, URL/Web Category Filter and then QQ Filter. Finally, if there is no matched Filter Rule either, the Default Policy will be applied. If the packet matches a rule IP Filter, the router will take one of the following actions.

Action: Accept Immediately

The router will pass the packet right away. Other firewall rules will not be applied.

Action: Block Immediately

The router will discard the packet right away. Other firewall rules will not be applied.

Action: Accept If No Further Match

The router will hold the packet and check if it matches other filter rules. If the Next Group is specified, the router will check the filter rules in that filter group; if not specified, the router will check Application Filter, URL/WCF Filter, and then QQ Filter. If the packet matches another rule, the action of that rule will be applied. If there's no other match, the router will pass the packet.

Action: Block If No Further Match

The router will hold the packet and check if it matches other filter rules. If the Next Group is specified, the router will check the filter rules in that filter group; if not specified, the router will check Application Filter, URL/WCF Filter, and then QQ Filter. If the packet matches another rule, the action of that rule will be applied. If there's no other match, the router will discard the packet.

an illustration of Vigor3900 firewall process

Published On: Aug 17, 2016 

Was this helpful?     


Related Articles