How Firewall Filter Rules Work

IP Filter

When a packet traverses the router from one interface to another, it will first be checked by the active firewall filter rules with the smallest index number.
The filter rule first checks if the header information meets the filtering condition in that rule, including direction, source IP, destination IP, and service type. If it does, the action selected in Filter Action will be applied. If it doesn't, it will take no action and pass the packet to the next active filter rule.
The next filter rule will do the same checking on the header information. Until finally, if the packet matches none of the filtering conditions in all filter rules, the default rule and action will be applied.

Filter Action: Block Immediately

The router will discard the packet right away. No other filter rules will apply to the packet.

Filter Action: Pass Immediately

The router accepts the packets, and no other filter rules will apply to it. However, if the filter rule has CSM profile selected, such as APPE, URL Content Filter, Web Content Filter, and DNS Filter, those profiles might still discard the packet base on its content.

Below is an example of how the filter rules work on an outgoing packet.

Filter Action: Block If No Further Match

The router will hold the packet first. It will pass the packet to the next filter rule and see if it meets the filtering conditions of that rule. If it does, it will take the action of that filter rule. If it doesn't, it will pass to the next filter rule. Until finally, if there are no other rules with the filtering condition that applies to the packet, it will discard the packet.

Filter Action: Pass If No Further Match

The router will hold the packet first. It will pass the packet to the next filter rule and see if it meets the filtering conditions of it. If it does, it will take the action of that filter rule. If it doesn't, it will pass to the next filter rule. Until finally, if there are no other rules with the filtering condition that applies to the packet, it will accept the packet. However, if the filter rule has CSM profile selected, those profiles might still discard the packet base on its content.

Below is an example of how the filter rules work on an outgoing packet with Pass/Block If No Further Match.

Content Filtering (CSM)

URL Filter

URL Filter will check the HTTP packets and find out the URL that the LAN client is requesting. Network Administrator may set up URL Filter to block or pass the HTTP traffic that contains specific keywords in the URL, thus to control the access to those websites.

Web Content Filter (WCF)

If you would like to prevent the LAN clients from browsing a certain category of websites (e.g., all the social networking websites), it might be a lot of work to list all of the URLs to block. This is when Web Content Filter(WCF) can be helpful. By using the URL categorization service from a CYREN or BPjM (both are license-required), the router can categorize all the websites into social networking, shopping, news, and more. Network Administrator may choose to block or pass a specific category and control the access to all the websites that fall into the class without specifying them.

DNS Filter

DNS filter is an extension of URL Filter and Web Content Filter. If the webserver is using HTTPS and the traffic are encrypted, the router may not be able to check the contents in those packets. However, by tracing the DNS queries sent by the LAN clients, we may still find out which websites the LAN clients are trying to access. DNS Filter allows Network Administrator to block or pass the DNS queries that contain specific keywords, thus to control the access to HTTPS websites.

APP Enforcement (APPE)

Except for the websites, by tracing the packet patterns, Vigor Router can also recognize the applications that the LAN clients are using. APP Enforcement provides the most common applications for the Network Administrator to filter out for the LAN clients.