- Stop unathorised access
- Block unwanted ports
- Classify and mark connections and packets for QOS or Routing Policy
- Filter packets using filter rules
- NAT: SRCNAT and DSTNAT to translate source and destination addresses
- Mangle: to mark connections and/or packets
- RAW: drop or bypass packets before reaching the connection tracking
- Service Ports: using NAT helpers
- Input = to the router
- Output = from the router
- Forward = via the router
- Rules process in order
- IF …. Then
- If no match, then the packet is accepted
- Always add a drop rule at the bottom of your rules
- Passthrough = count packets/bytes
- Drop = Discard a packet
- Reject = Discard a packet but send ICMP message or TCP reset, TCP reset kills a TCP connection instantly
- Tarpit = Send ACK Flag but don’t open the connection
- New: The 1st packet observed by the Firewall will be new. The Firewall will check the packet and if allowed, the next packet going to the other direction of that stream will create an Established connection.
- Established: A stream of packets that successfully pass both both directions of the Firewall. Established packets will not be evaluated by the Firewall.
- Related: They are not considered part of the connection itself but related to it.
- Inavlid: Packets arrived out-of-order to the router or with invalid sequence number. Best advice is to always drop them.
Let us know if you liked the post. That’s the only way we can improve.
Total Page Visits: 1226 - Today Page Visits: 1