Posted by Chris Cooper, Last modified by Jim Giseburt on 06 April 2017 12:45 PM
A stateful firewall is a secure, easy-to-use firewall that tracks all open connections and the state of those connections. A regular (stateless) firewall only inspects packets.|
With a regular firewall, if you wanted your client workstations to be able to access Web servers on the Internet you would have to allow any machine on the Internet to access all the high ports on any client. This is a vulnerability many worms and trojans have been written to exploit.
With a stateful firewall, you specify how connections are to be made. For example, you can allow any client inside your network to make a connection to port 80 on any server outside. When that happens, only that server will be able to send packets back to the high port on your client that originated the connection, and it will be allowed to do so only from port 80.
The default policy of a firewall determines whether it drops or accepts connections by default. CIPAFilter ships with the Default Policy set to ACCEPT. This mode is acceptable if the CIPAFilter is in bridging mode behind another firewall. However, if the CIPAFilter is the firewall in your network, we recommend setting the Default Policy to DROP. The DROP policy, while giving you specific control of the traffic passing through the firewall, will require the creation of rules for any traffic that you wish to allow through the firewall. Tech support will be happy to assist you with the creation of appropriate rules for your network.
Note: Connections are only matched against the firewall when they are first opened. If you change the firewall, any established connections will remain open even if the new firewall rules prohibit them. Also note that the firewall does not apply to CIPAFilter itself; the router automatically adjusts its own firewall based on the configuration of the system to assure proper operation.
Example firewall configurations
The firewall rules are interpreted top down, so the first rule that matches a connection will determine its fate. For example:
The first two rules will allow machines on the 203.0.113.0/24 and 198.51.100.0/24 subnets to access the internal Web server at 10.0.0.15. However, they will only be able to access the Web service on that server. All connections going to all other services or from other subnets will be dropped on the third rule.
Note: Firewall rules will only apply to traffic that is required to pass through the CIPAFilter; in practice, this means rules will usually apply only to traffic between two different subnets. This is because traffic between two devices within the same subnet will generally be moved directly between them rather than going through their gateway.
If you are experiencing a problem with ICMP traffic, simply enable the ICMP Firewall and select the types of ICMP packets you wish to let through.
Note: Always allow ICMP fragmentation-needed packets. These packets are required by Path MTU Discovery. If fragmentation-needed packets are blocked, you may experience problems where you can transmit small amounts of data over a connection but large amounts cause the connection to hang.
Keywords: Firewall, Accept Mode, Drop Mode, Firewall Rules, ICMP