Chapter 9. Configuring Firewall/NAT Settings

RX3141 User’s Manual

the packet is dropped; otherwise, the packet is either dropped or forwarded based on the action defined in the matched ACL rule.

9.1.3.2ACL Rule and Connection State Tracking

The stateful packet inspection engine in the firewall keeps track of the state, or progress, of a network connection. By storing information about each connection in a state table, RX3141 is able to quickly determine if a packet passing through the firewall belongs to an already established connection. If it does, it is passed through the firewall without going through ACL rule evaluation.

For example, an ACL rule allows outbound ICMP packet from 192.168.1.1 to 192.168.2.1. When 192.168.1.1 sends an ICMP echo request (i.e. a ping packet) to 192.168.2.1, 192.168.2.1 will respond with an ICMP echo reply to 192.168.1.1. In the RX3141, you don’t need to create another inbound ACL rule because stateful packet inspection engine tracks the connection state and allows the ICMP echo reply to pass through the firewall

9.1.4Default ACL Rules

The RX3141 supports three types of default access rules:

fInbound Access Rules: for controlling incoming access to your LAN.

fOutbound Access Rules: for controlling outbound access to external networks for hosts on your LAN.

fSelf-Access Rules: for controlling access to the RX3141 itself.

Default Inbound Access Rules

No default inbound access rule is configured. That is, all traffic from external hosts to the internal hosts is denied.

Default Outbound Access Rules

The default outbound access rule allows all the traffic originated from your LAN to be forwarded to the external network using NAT.

Default Self Access Rules

The default self access rules allow http, ping, DNS, DHCP access to the RX3141 router from the LAN.

 

It is not necessary to remove the default ACL rule from the ACL

 

rule table! It is better to create higher priority ACL rules to override

WARNING

the default rule.

 

 

 

48