One of the basic functions of NAT is the translation of the local IP addresses of your LAN
into the global IP addresses you are assigned by your ISP and vice versa. All connections
initiated externally are first blocked, i.e. every packet your device cannot assign to an exist-
ing connection is rejected. This means that a connection can only be set up from inside to
outside. Without explicit permission, NAT rejects every access from the WAN to the LAN.
IP Access Lists
Here, packets are allowed or rejected exclusively on the basis of the criteria listed above,
i.e. the state of the connection is not considered (except for
Services
=
%,
).
SIF
The SIF sorts out all packets that are not explicitly or implicitly allowed. The result can be a
"deny", in which case no error message is sent to the sender of the rejected packet, or a
"reject", where the sender is informed of the packet rejection.
The incoming packets are processed as follows:
• The SIF first checks if an incoming packet can be assigned to an existing connection. If
so, it is forwarded. If the packet cannot be assigned to an existing connection, a check is
made to see if a suitable connection is expected (e.g. as affiliated connection of an exist-
ing connection). If so, the packet is also accepted.
• If the packet cannot be assigned to any existing or expected connection, the SIF filter
rules are applied: If a deny rule matches the packet, the packet is rejected without send-
ing an error message to the sender of the packet; if a reject rule matches, the packet is
rejected and an ICMP Host Unreachable message sent to the sender of the packet. The
packet is only forwarded if an accept rule matches.
• All packets without matching rules are rejected without sending an error message to the
sender when all the existing rules have been checked (=default behaviour).
19.1 Policies
19.1.1 Filter Rules
The default behaviour with
Action
=
1%%&&
consists of two implicit filter rules: If an incom-
ing packet can be assigned to an existing connection and if a suitable connection is expec-
ted (e.g. such as an affiliated connection of an existing connection), the packet is allowed.
The sequence of filter rules in the list is relevant: The filter rules are applied to each packet
Funkwerk Enterprise Communications GmbH
19 Firewall
R1xxx/R3xxx/R4xxx
325