R3303-HP HSR6800 Routers Security Configuration Guide
342
Configuring firewall
Overview
A firewall blocks unauthorized Internet access to a protected network while allowing internal network
users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used
to control access to the Internet, for example, to permit only specific hosts within the organization to
access the Internet. Many of today's firewalls offer additional features, such as identity authentication
and encryption.
Another application of firewall is to protect the mainframe and important resources (such as data) on
internal networks. Any access to protected data is filtered by the firewall, even if the access is initiated by
a user within the internal network.
The device mainly implements three categories of firewalls:
• ACL based packet filter
• Application Specific Packet Filter (ASPF)
• Network address translation (NAT)
This chapter focuses on ACL packet-filter firewall and ASPF. For more information about NAT, see Layer
3—IP Services Configuration Guide.
VLAN interfaces do not support IPv4 and IPv6 packet filter firewall, or ASPF.
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before an IP packet can be forwarded, the firewall obtains the header information of the packet,
including the following:
• Number of the upper layer protocol carried by the IP layer
• Source address
• Destination address
• Source port number
• Destination port number
The firewall compares the head information against the preset ACL rules and processes the packet based
on the comparison result.
ASPF
ASPF was proposed to address the issues that a static firewall cannot solve. An ASPF implements
application layer and transport specific, namely status-based, packet filtering. An ASPF can detect
application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, and H.323 (Q.931,
H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.