R2511-HP MSR Router Series Security Configuration Guide(V5)
344
ASPF creates a TACL for the data connection. For a data connection, the ASPF does not perform
status inspection.
7. For returned control connection packets, the ASPF first matches these packets against the control
connection TACL, and then checks their application status based on the application type, and
determines whether to permit the packets to pass according to the results of the match checks. For
returned data connection packets, the ASPF only performs the data connection TACL match.
8. When the FTP connection is removed, the ASPF removes the status entry and TACL accordingly.
Single channel application protocol inspection—The inspection process for a single-channel protocol
(such as SMTP and HTTP) is relatively simple: a TACL is created at the connection initiation and is deleted
when the connection is removed.
Transport layer protocol inspection
The transport layer protocol inspection here refers to general TCP/UDP inspection. Different from
application layer protocol inspection, general TCP/UDP inspection is specific to the transport layer
information in the packets, such as source and destination addresses and port number. General
TCP/UDP inspection requires a full match between the packets returned to the external interface of the
ASPF and the packets previously sent out from the external interface of ASPF, namely a perfect match of
the source and destination address and port number. Otherwise, the return packets will be blocked.
Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP
inspection without application layer inspection will lead to failure of establishing a data connection.
Configuring a packet-filter firewall
Packet-filter firewall configuration task list
Task Remarks
Enabling the firewall function Required
Configuring the default filtering action of the firewall Optional
Enabling fragment inspection Optional
Configuring the high and low thresholds for fragment inspection Optional
Configuring packet filtering on an interface Required
Configuring Ethernet frame filtering Optional
Enabling the firewall function
Enabling the IPv4 firewall function
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the IPv4 firewall function.
firewall enable
Disabled by default.
Enabling the IPv6 firewall function
To enable the IPv6 firewall function: