Introduction
Firewall rules are stored in tables. These tables are sometimes also known as
firewall chains
or
just
chains
. Tables normally store rules for what are known as
hooks
, which can be looked as
packet-path junctions. There are five defined hooks: PRE-ROUTE, POST-ROUTE, INPUT,
OUTPUT and FORWARDING. The example below illustrates the default chains on boot up.
By default, INPUT, FORWARD and OUTPUT chains are installed on boot up. Additional rules
can be installed for the other chains. Additionally, one can write software extensions to add more
chains. Figure 7.5 provides an illustration of firewall flow.
When a packet reaches a circle in the diagram, that chain is examined to decide the fate of the
packet. Two basic fates of a packet are defined as DROP and ACCEPT. If the chain says to
DROP the packet, it is killed there; however, if the chain says to ACCEPT the packet, it
continues traversing the diagram, ultimately terminating at an application or getting forwarded
out of the box. There are additional actions that can be applied to packets. These are described in
the "Supported Targets" section.
A chain is a checklist of rules. Each rule is checked against the packet header and if a rule
matches, action is taken. If the rule doesn't match the packet, then the next rule in the chain is
consulted. Finally, if there are no more rules to consult, then the kernel looks at the chain default
policy to decide what to do. In a security-conscious system, this policy usually tells the kernel to
DROP the packet.
In the base switch, both the FORWARD chain hook, and the INPUT chain hook (packets
destined for the CPU) are implemented in hardware. The rest of the hooks are in software in the
Linux kernel. An extension of the FORWARD hook also resides in software. It is important to
note that this is in sync with routing being implemented in hardware with software assist for
exception handling. Under general circumstances, when routing happens in hardware, only the
FORWARD chain is traversed. Under exceptional handling of an incoming packet, one can force
the full software traversal. As a router you do not really care about the other hooks except in the
situation where you have some special handling., in which case a policy would force the packet to
be sent to the CPU for further processing.
NOTE: This is also how one would extend the OA packet munging capabilities (for
example, introduce NAT).
Ethernet Switch Blade User's Guide
release 3.2.2j
page 109
Figure 7.5: Firewall Flow
P
re
ro
u
te
O
u
tp
u
t
P
o
s
t
R
o
u
te
In
p
u
t
F
o
rw
a
rd
L
o
c
a
l
P
ro
c
e
s
s
O
u
tg
o
in
g
In
c
o
m
in
g
R
o
u
tin
g
D
e
c
is
io
n
Downloaded from
www.Manualslib.com
manuals search engine