As packet filtering works with individual packets, a decision is needed for each and every packet whether that specific packet can pass or should undergo some other action. Packet filtering can work with incoming and outgoing packets as well, but the basic decision making procedure is the same. The basic steps of packet filtering are the following.
The filter system inspects the packet. It usually checks the following information in the packet header:
source/destination IP addresses
IP options
TOS/TTL fields
source/destination port numbers
TCP flags
data part of packet
and so on
Stateful packet filtering can check the state of the given packet related to the known connections (whether this packet belongs to an already seen connection or it is a new packet or it is a packet related to an already established connection, like an ICMP control packet), or to other stateful information (whether this packet fits in the TCP window of the connection). This piece of information is necessary for the decision. Also, the firewall can check whether the packets' checksum and the packets in general are adequate.
After inspecting the packet and collecting stateful information, the packet filter evaluates the policy for the given packet. The policy and the representation of the policy might be different for various implementations, but usually Access Control Lists (ACL) are used. ACLs are checked from the top of the list to the bottom. The list entries are usually called rules and these rules are evaluated after one another.
A rule usually contains a match and a verdict part. The match part is evaluated based on the information gathered from the packet before the policy check. If a packet matches the rule the rule's verdict is taken for that packet. The various implementations differ in how they run through the list. One stops evaluating at the first match, while others might take the last match's verdict.
After evaluating the ACL the packet filter can work with that packet according to the verdict. Usually, every ACL has a default verdict which controls what should happen with the packet if no match occurs. Based on the main security rule a default deny or default drop approach is a good choice, but as usual it depends on the implementation and on the administrator.
There are numerous verdicts, but usually all implementations support the following basic verdicts. The meaning of the verdicts, though, might differ slightly.
Accept,
allowing the packet to pass.
Deny/Drop,
denying the packet silently meaning that no error packet is sent back to the sender.
Reject,
denying the packet with sending back some kind of error packet (ICMP error message or TCP reset packet depending on the situation).
To successfully deploy and easily troubleshoot any packet filter firewall it is necessary to understand how the specific implementation handles the packets and how it evaluates its policy. It is also necessary to learn how the policy is represented and how the configuration is constructed. Being familiar with the deeper details of implementation helps in configuration.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu