As packet filters work with individual packets a decision is needed for each and every packet whether that specific packet can pass or should undergo some other action. Packet filters can work with incoming and outgoing packets as well, but the basic decision making procedure is the same. The basic steps of packet filtering are the following.
The filter system inspects the packet. It usually checks the following information in the packet header:
source/destination IP addresses,
IP options,
TOS/TTL fields,
source/destination port numbers,
TCP flags,
data part of packet,
and others.
Stateful packet filters can check the state of the given packet related to the known connections (whether this packet belongs to an already seen connection or it is a new packet or it is a packet related to an already established connection, like an ICMP control packet), or to other stateful information (whether this packet fits in the TCP window of the connection). This information provide the basis for the decision. Of course, the firewall can check whether the packets checksum and packets in general are adequate.
After inspecting the packet and collecting stateful information, the packet filter evaluates the policy for the given packet. The policy and the representation of the policy might be different between various implementations, but usually Access Control Lists (ACL) are used. ACLs are checked from the top of the list to the bottom. The list entries are usually called rules and these rules are evaluated after one another.
A rule usually contains a match and a verdict part. The match part is evaluated based on the information gathered from the packet before the policy check. If a packet matches the rule the rule's verdict is taken for that packet. The various implementations differ in how they run through the list. One stops evaluating at the first match, while others might take the last match's verdict.
After evaluating the ACL the packet filter can work with that packet according to the verdict. Usually, every ACL has a default verdict which controls what should happen with the packet if no match occurs. Based on the main security rule a default deny or default drop approach is a good choice, but as usual it depends on the implementation and on the administrator.
There are numerous verdicts, but usually all implementations support the following basic verdicts. The meaning of the verdicts, though, might differ slightly.
Accept,
allowing the packet to pass.
Deny/Drop,
denying the packet silently meaning that no error packet is sent back to the sender.
Reject,
denying the packet with sending back some kind of error packet (ICMP error message or TCP reset packet depending on the situation).
To understand, successfully deploy and easily troubleshoot any packet filter firewall you have to understand how the specific implementation handles the packets and how it evaluates its policy. It is also necessary to learn how the policy is represented and how the configuration is constructed. Knowing the deeper details of implementation helps in configuration.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu