Asus RX3141 9 Configuring Firewall/NAT Settings, 9.1Firewall Overview, 9.1.3.1Priority Order of ACL Rule, Note:, 9.1.1Stateful Packet Inspection

RX3141 User’s Manual

Chapter 9. Configuring Firewall/NAT Settings

9 Configuring Firewall/NAT Settings

The RX3141 provides built-in firewall/NAT functions, enabling you to protect the system against denial of service (DoS) attacks and other types of malicious accesses to your LAN while providing Internet access sharing at the same time. You can also specify how to monitor attempted attacks, and unwanted network access.

This chapter describes how to configure router security settings, and create/modify/delete ACL (Access Control List) rules to control the data passing through your network. You will use firewall configuration pages to:

fConfigure router security and DoS settings

fCreate, modify, delete and view inbound/outbound/self-access ACL rules.

fView firewall log.

Note: When you define an ACL rule, you instruct the RX3141 to examine each data packet it receives to determine whether it meets criteria set forth in the rule. The criteria can include the network or Internet protocol it is carrying, the direction in which it is traveling (for example, from the LAN to the Internet or vice versa), the IP address of the sending computer, the destination IP address, and other characteristics of the packet data.

If the packet matches the criteria established in a rule, the packet can either be accepted (forwarded towards its destination), or denied (discarded), depending on the action specified in the rule.

9.1Firewall Overview

9.1.1Stateful Packet Inspection

The stateful packet inspection engine in the RX3141 maintains a state table that is used to keep track of connection states of all the packets passing through the firewall. The firewall will open a “hole” to allow the packet to pass through if the state of the packet that belongs to an already established connection matches the state maintained by the stateful packet inspection engine. Otherwise, the packet will be dropped. This “hole” will be closed when the connection session terminates. No configuration is required for stateful packet inspection; it is enabled by default when the firewall is enabled. Please refer to section 9.2.1 “Basic Router Security Configuration Parameters” to enable or disable firewall service on the RX3141.

9.1.2DoS (Denial of Service) Protection

Both DoS protection and stateful packet inspection provide first line of defense for your network. No configuration is required for both protections on your network as long as firewall is enabled for the RX3141. By default, the firewall is enabled at the factory. Please refer to section 9.2.1 “Basic Router Security Configuration Parameters” to enable or disable firewall service on the RX3141.

9.1.3Firewall and Access Control List (ACL)

9.1.3.1Priority Order of ACL Rule

All ACL rules have a rule ID assigned – the smaller the rule ID, the higher the priority. Firewall monitors the traffic by extracting header information from the packet and then either drops or forwards the packet by looking for a match in the ACL rule table based on the header information. Note that the ACL rule checking starts from the rule with the smallest rule ID until a match is found or all the ACL rules are examined. If no match is found,