Carrier Access MSR/Adit 3K GUI Firewall Processing Sequence

Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) GUI 4-39

Security

Firewall Implementation

Firewall Processing Sequence

This section details the sequence of processing that is used by the firewall when examining packets.

This detail can help an experienced user better understand the order of application of each of the various

security settings. The order processing is separately described for both inbound processing and

outbound processing at an interface that has firewall and/or NAPT enabled. Note that if the interface is

set for route mode with the firewall disabled, none of the packets are examined or translated either

inbound or outbound at that interface boundary.

Inbound Firewall Processing

The following table describes the sequence of examination of packets arriving at the interface. This

firewall processing is applied after the layer 2 driver and before passing the inbound packet up to

the IP stack. If the action for matching packets at a particular step is described as PASS, no further

firewall examination is applied and the packet is passed up to the IP stack. If the action is described

as DROP, the packet is dropped and not passed up to the stack. Packets that do not match the criteria

at that step continue processing at the next step. Packets that are passed by the firewall and require

NAPT translation are translated before passing the packet up to the IP stack.

Step Test Action

1Insecure IP options: loose source route, strict source route, record route, time

stamp, or invalid IP option

DROP

2Invalid IP fragments DROP

3Match existing sessions: this matches ongoing sessions and applies NAPT

where appropriate.

PASS

4Packets generated by the firewall itself; e.g. TCP RST packets. PASS

5User configured Advanced Filtering/Input Rule Sets/Initial Rules as per filter

6User configured Advanced Filtering/Input Rule Sets/Interface Specific Rules as per filter

7Standard Inbound Security:

- ICMP to broadcast address

- ICMP Redirect from the WAN

- Source of destination IP address in loopback subnet

- Source address from external host is Adit IP address

- IP address spoofed (source address from one interface in other

interface subnet)

- Source IP address is broadcast, multicast, or experimental

- Echo, Chargen, Snork, or Quote DoS (src port 7, 17, or 19; or src &

dst port 135)

DROP

8User configured Local Server PASS (NAPT)

9To Adit IP address & user configured Remote Management PASS

10 SIP and RTP local ports PASS

11 Active IPSEC tunnel PASS

12 TCP Auth/Ident protocol (to TCP port 113) DROP

13 To Adit IP address & user configured DMZ Host PASS (NAPT)

14 Packet between DMZ interface and WAN interface PASS

15 User configured Advanced Filtering/Input Rule Sets/Final Rules as per filter

last Take default action based on user configured General Security Policy:

Maximum Security

Typical Security

Minimum Security

DROP

PASS