Firewall Phases and Actions

[Index]
[Previous Chapter: Stateful Packet Inspection and Firewall Rules]
[Next Chapter: Using the Firewall Control Panel]

Chapter 4: Firewall Phases and Actions

Redirection Phase

Technically termed 'Destination Network Address Translation', or 'DNAT', the redirection phase is used if you wish change the destination of network traffic entering or leaving a zone.  The default behaviour of the firewall when there are no matching rules in this phase is to not perform any translation.

There are three types of action you can specify for a rule in the redirection phase:

• Redirect     

  The destination address of traffic matching a 'redirect' rule is changed to the specified target address and it is then passed on to the Filtering phase. 

• Do Not Redirect           (default action)

  Traffic that matches a 'do not redirect' rule is passed unaltered to the filtering phase.  This is the also the default action if no rules are matched.  A 'do not redirect' rule only needs to be explicitly given if you have a more general 'redirect' rule that you wish to override for a specific case. 

• Drop     

  Traffic matching a 'drop' rule is silently discarded. 

  Normally, all 'drop' rules are placed in the Filtering phase.  The only circumstance where 'drop' rules should be placed in the Redirection phase is where you need to block a specific case of traffic that would otherwise match a more general 'redirect' rule, and need to specify it on the basis of its original destination address. 

Filtering Phase

The filtering phase is the most important phase, and must be populated with rules for the firewall to permit any traffic through it.  This phase is where you normally specify what network traffic should be permitted and what traffic should be discarded.  The default behaviour of the firewall when there are no matching filtering rules is to silently discard the traffic.

The filtering actions are:

• Accept     

  Traffic matching this rule is passed onto the next firewall phase. 

• Reject     

  Traffic matching this rule is discarded, and an ICMP destination unreachable message is sent back to the source of it. 

• Drop           (Default Action)

  Traffic matching this rule is silently discarded. 

Masquerading Phase

Technically termed 'Source Network Address Translation', or 'SNAT', the masquerading phase is used if you wish change the source address of network traffic entering or leaving a zone.  The default behaviour of the firewall when there are no matching rules in this phase is to not perform any translation.

There are three types of action you can specify for a rule in the redirection phase:

• Masquerade (Manual)

  10.0.45.1

  The source address of traffic matching a 'masquerade' rule is translated to the specified address. 

• Auto-Masquerade

  Auto

  An 'auto-masquerade' rule acts like a manual 'masquerade' rule, but you do not need to specify an address.  An address appropriate to the interface on which the traffic leaves the firewall is automatically chosen. 

• Do Not Masquerade           (Default Action)

  Traffic that matches a 'do not masquerade' leaves the firewall unaltered.  This is the also the default action if no rules are matched.  A 'do not masquerade' rule only needs to be explicitly given if you have a more general 'masquerade' or 'auto-masquerade' rule that you wish to override for a specific case. 

[Index]
[Previous Chapter: Stateful Packet Inspection and Firewall Rules]
[Next Chapter: Using the Firewall Control Panel]