3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
Transparent Firewall Overview 121
8
TRANSPARENT FIREWALL
Transparent Firewall
Overview
By default, the firewall operates in route mode. When it is transparent mode
(bridge mode), you cannot configure the IP address for its interfaces, the interfaces
belong to Layer 2 security zones, and all outside users connected to the interfaces
that belong to Layer 2 security zones are in the same subnet.
When packets are forwarded between the interfaces of Layer 2 security zones, the
system determines the outgoing interfaces based the MAC addresses borne in
packets. The firewall actually operates as a transparent bridge. Different from the
bridge, however, the firewall matches packets against the session table and ACL
rules and then determines if to forward the packets received to the upper layer for
filtering other further processing. Other attack prevention checks are also
implemented on the firewall. The transparent firewall supports ACL rule check,
ASPF filtering, attack prevention check, flow control, and other functions.
The transparent firewall is connected to the LAN on the data link layer, and no
special configuration is required for network client users, but treating them as
common Ethernet switches when connecting them into the network.
Obtaining MAC Address
Table
The transparent firewall forwards packets based on the MAC address table, which
comprises two parts: MAC addresses and interfaces. Therefore, it must obtain the
mapping between them.
Broadcasting packets
When connected with the physical network segment, the transparent firewall
monitors all Ethernet frames on the segment. After detecting an Ethernet frame
on an interface, the transparent firewall extracts its source MAC address and adds
the mapping between the MAC address and the interface receiving the frame into
the MAC address table. See
Figure 23.