Chapter 6
Security
RUGGEDCOM ROX II
CLI User Guide
184
Firewall Concepts
•
Section 6.9.11, “Managing Hosts”
•
Section 6.9.12, “Managing Policies”
•
Section 6.9.13, “Managing Network Address Translation Settings”
•
Section 6.9.14, “Managing Masquerade and SNAT Settings”
•
Section 6.9.15, “Managing Rules”
•
Section 6.9.16, “Validating a Firewall Configuration”
•
Section 6.9.17, “Enabling/Disabling a Firewall”
Section 6.9.1
Firewall Concepts
This section describes some of the concepts important to the implementation of firewalls in RUGGEDCOM ROX II.
CONTENTS
•
Section 6.9.1.1, “Stateless vs. Stateful Firewalls”
•
Section 6.9.1.2, “Linux netfilter”
•
Section 6.9.1.3, “Network Address Translation”
•
Section 6.9.1.4, “Port Forwarding”
•
Section 6.9.1.5, “Protecting Against a SYN Flood Attack”
•
Section 6.9.1.6, “Protecting Against IP Spoofing”
Section 6.9.1.1
Stateless vs. Stateful Firewalls
There are two types of firewalls: stateless and stateful.
Stateless
or static firewalls make decisions about traffic without regard to traffic history. They simply open a path
for the traffic type based on a TCP or UDP port number. Stateless firewalls are relatively simple, easily handling
Web and e-mail traffic. However, stateless firewalls have some disadvantages. All paths opened in the firewall are
always open, and connections are not opened or closed based on outside criteria. Static IP filters offer no form of
authentication.
Stateful
or session-based firewalls add considerably more complexity to the firewalling process. They track the
state of each connection, look at and test each packet (connection tracking), and recognize and manage as a
whole traffic from a particular protocol that is on connected sets of TCP/UDP ports.
Section 6.9.1.2
Linux netfilter
Netfilter, a subsystem of the Linux kernel, is a stateful firewall that provides the ability to examine IP packets on a
per-session basis.
Netfilter uses rulesets, which are collections of packet classification rules that determine the outcome of the
examination of a specific packet. The rules are defined by iptables, a generic table structure syntax and utility
program for the configuration and control of netfilter.
Summary of Contents for RUGGEDCOM ROX II
Page 2: ...RUGGEDCOM ROX II CLI User Guide ii ...
Page 4: ...RUGGEDCOM ROX II CLI User Guide iv ...
Page 39: ...RUGGEDCOM ROX II CLI User Guide Table of Contents xxxix 19 5 VLANs 752 ...
Page 40: ...Table of Contents RUGGEDCOM ROX II CLI User Guide xl ...
Page 46: ...Preface RUGGEDCOM ROX II CLI User Guide xlvi Customer Support ...
Page 170: ...Chapter 5 System Administration RUGGEDCOM ROX II CLI User Guide 124 Deleting a Scheduled Job ...
Page 256: ...Chapter 6 Security RUGGEDCOM ROX II CLI User Guide 210 Enabling Disabling a Firewall ...
Page 402: ...Chapter 11 Wireless RUGGEDCOM ROX II CLI User Guide 356 Managing Cellular Modem Profiles ...