McAfee® Host Intrusion Prevention 6.1 Product Guide | Firewall Policies |
| Overview |
5
If you placed the more general Block Rule higher than the more specific Permit Rule, Host Intrusion Prevention would match the HTTP request from 10.10.10.1 against the Block Rule before it found the exception. It would block the traffic, even though you really wanted to allow HTTP requests from this address.
How stateful filtering works
Stateful filtering involves processing a packet against two rule sets, a configurable firewall rule set and a dynamic firewall rule set or state table.
The configurable rules have two possible actions:
The state table entries result from network activity and reflect the state of the network stack. Each rule in the state table has only one action: Allow, so any packet matched to a rule in the state table is automatically permitted.
The filtering process includes these steps:
1The firewall compares an incoming packet against entries in the state table. If the packet matches any entry in the table, the packet is immediately allowed. If not, the configurable firewall rules list is examined.
A state table entry is considered a match if the Protocol, Local Address, Local Port,
Remote Address and Remote Port match those of the packet.
2If the packet matches an allow rule, it is allowed and an entry is created in the state table.
3If the packet matches a block rule, it is blocked.
4If the packet does not match any configurable rule, it is blocked.
Figure 5-2 Stateful filtering process
72