Chapter 6
Security
RUGGEDCOM ROX II
CLI User Guide
184
Firewall Concepts
•
Section 6.9.11, “Managing Hosts”
•
Section 6.9.12, “Managing Policies”
•
Section 6.9.13, “Managing Network Address Translation Settings”
•
Section 6.9.14, “Managing Masquerade and SNAT Settings”
•
Section 6.9.15, “Managing Rules”
•
Section 6.9.16, “Validating a Firewall Configuration”
•
Section 6.9.17, “Enabling/Disabling a Firewall”
Section 6.9.1
Firewall Concepts
This section describes some of the concepts important to the implementation of firewalls in RUGGEDCOM ROX II.
CONTENTS
•
Section 6.9.1.1, “Stateless vs. Stateful Firewalls”
•
Section 6.9.1.2, “Linux netfilter”
•
Section 6.9.1.3, “Network Address Translation”
•
Section 6.9.1.4, “Port Forwarding”
•
Section 6.9.1.5, “Protecting Against a SYN Flood Attack”
•
Section 6.9.1.6, “Protecting Against IP Spoofing”
Section 6.9.1.1
Stateless vs. Stateful Firewalls
There are two types of firewalls: stateless and stateful.
Stateless
or static firewalls make decisions about traffic without regard to traffic history. They simply open a path
for the traffic type based on a TCP or UDP port number. Stateless firewalls are relatively simple, easily handling
Web and e-mail traffic. However, stateless firewalls have some disadvantages. All paths opened in the firewall are
always open, and connections are not opened or closed based on outside criteria. Static IP filters offer no form of
authentication.
Stateful
or session-based firewalls add considerably more complexity to the firewalling process. They track the
state of each connection, look at and test each packet (connection tracking), and recognize and manage as a
whole traffic from a particular protocol that is on connected sets of TCP/UDP ports.
Section 6.9.1.2
Linux netfilter
Netfilter, a subsystem of the Linux kernel, is a stateful firewall that provides the ability to examine IP packets on a
per-session basis.
Netfilter uses rulesets, which are collections of packet classification rules that determine the outcome of the
examination of a specific packet. The rules are defined by iptables, a generic table structure syntax and utility
program for the configuration and control of netfilter.
Содержание RUGGEDCOM ROX II
Страница 2: ...RUGGEDCOM ROX II CLI User Guide ii ...
Страница 4: ...RUGGEDCOM ROX II CLI User Guide iv ...
Страница 39: ...RUGGEDCOM ROX II CLI User Guide Table of Contents xxxix 19 5 VLANs 752 ...
Страница 40: ...Table of Contents RUGGEDCOM ROX II CLI User Guide xl ...
Страница 46: ...Preface RUGGEDCOM ROX II CLI User Guide xlvi Customer Support ...
Страница 96: ...Chapter 2 Using RUGGEDCOM ROX II RUGGEDCOM ROX II CLI User Guide 50 Accessing Maintenance Mode ...
Страница 170: ...Chapter 5 System Administration RUGGEDCOM ROX II CLI User Guide 124 Deleting a Scheduled Job ...
Страница 256: ...Chapter 6 Security RUGGEDCOM ROX II CLI User Guide 210 Enabling Disabling a Firewall ...
Страница 402: ...Chapter 11 Wireless RUGGEDCOM ROX II CLI User Guide 356 Managing Cellular Modem Profiles ...
Страница 646: ...Chapter 13 Unicast and Multicast Routing RUGGEDCOM ROX II CLI User Guide 600 Deleting a Multicast Group Prefix ...
Страница 732: ...Chapter 15 Network Discovery and Management RUGGEDCOM ROX II CLI User Guide 686 Viewing NETCONF Statistics ...
Страница 790: ...Chapter 17 Time Services RUGGEDCOM ROX II CLI User Guide 744 Deleting a Broadcast Multicast Address ...