R2511-HP MSR Router Series Security Configuration Guide(V5)
340
Configuring firewall
Overview
A firewall blocks unauthorized Internet access to a protected network while allowing internal network
users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used
to control access to the Internet, for example, to permit only specific hosts within the organization to
access the Internet. Many of today's firewalls offer additional features, such as identity authentication
and encryption.
Another application of firewall is to protect the mainframe and important resources (such as data) on
internal networks. Any access to protected data is filtered by the firewall, even if the access is initiated by
a user within the internal network.
The device mainly implements three categories of firewalls:
• ACL based packet filter
• Application Specific Packet Filter (ASPF)
• Address translation
This chapter focuses on ACL packet-filter firewall and ASPF. For more information about address
translation, see Layer 3
—
IP Service Configuration Guide.
ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before an IP packet can be forwarded, the firewall obtains the header information of the packet,
including the following:
• Number of the upper layer protocol carried by the IP layer
• Source address
• Destination address
• Source port number
• Destination port number
The firewall compares the head information against the preset ACL rules and processes the packet based
on the comparison result.
Support for fragment filtering
An ACL based packet-filter firewall supports fragment inspection and filtering by checking packet type,
Layer 3 information, and upper layer information:
• Packet type—Non-fragmented packet, first fragment, or non-first fragment.
• Layer 3 information of the packet—Checked against basic ACL rules, and advanced ACL rules
without information above Layer 3.
• Upper layer Information—Checked against advanced ACL rules containing information above
Layer 3.