Firewall rules set up
Issue 4 May 2005 167
12. If the filter rule set for the intended traffic is also to be applied to the reply packets, select
Keep State. This function can be applied to TCP, UDP, and ICMP packet s.
13. If you want to change the default time-out settings for the TCP state, UDP state, or ICMP
state, click Advanced.
Note:
Note: Keep State sets up a state table, with each entry set up by the sending side.
Reply packets pass through a matching filter that is based on the respective state
table entry. A state entry is not created for packets that are denied.
Note:
Note: Although UDP is connectionless, if a packet is first sent out from a given port, a
reply is expected in the reverse direction on the same port. Keep State
“remembers” the port and ensures that the replying packet enters in the same
port.
14. Select the position of the firewall policy in the template.
15. Click Finish to return to the Firewall tab.
Priority of Firewall rules versus NAT rules
When packets pass through zones that have both Firewall rules and NAT rules set up, NAT
rules are applied before the firewall rules are applied. Depending on the type of NAT rule: static,
port NAT, or redirection, either the source IP address or the destination IP address of packets
are changed. When you set up your firewall rules, you need to consider the type of NAT
configured, as you must create the firewall rule to filter on the translated IP address and ports,
not on the original address and ports.
Setting up firewall rules for FTPFTP and Firewall/NAT Operation
The File Transfer Protocol (FTP) uses two TCP connections, one for control, and another for
data. The primary methods for establishing the data connection are passive-FTP and
active-FTP. In the passive-FTP case, the FTP client makes the data connection to an IP
address/port the FTP server has specified. An active-FTP data connection is initiated by the
FTP server using information specified by the FTP client.
If the FTP client and FTP server are separated by a firewall, control and/or dat a connec tions will
normally be blocked. For FTP to function properly, st ate must be mai ntained for control an d data
connections to complete. Typically, a wide range of ports behind the firewall also must be
exposed to the external network in order for an external FTP client (passive-FTP) or external
FTP server (active-FTP) data connection to be established. So, the location of client/server, as
well as mode of operation (active/passive-FTP) dictates the type of firewall issues.