Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding How Stateless Firewall Filters Control Traffic on Site Access Links

    This topic provides an overview of stateless firewalls that you can configure in the Selfcare Portal. This topic is intended for cCPE business customers.

    Note: cCPE Selfcare Application supports the creation of the standard stateless firewall filters for IPv4 traffic. Service filters and simple filters cannot be created in the Selfcare Portal.

    The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify.

    You can optionally use stateless firewall filters to filter traffic and police access to bandwidth for any traffic on an access link, be it within the VPN or destined for the Internet through the basic NAT service.

    A stateless firewall filter does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections.

    Stateless firewall filters support a rich set of packet-matching criteria that you can use to match to specific traffic and perform specific actions, such as forwarding or dropping packets that match the criteria you specify. You can configure firewall filters to protect the local router or to protect another device that is either directly or indirectly connected to the local router.

    To navigate to the stateless firewall filter page, in the Selfcare Portal task pane, select Administration > Site Configuration > Access Links and select the Stateless Firewall tab. Figure 1 shows an example of the Stateless Firewall dialog box.

    Figure 1: Example-Stateless Firewall Filter Dialog Box

    Example-Stateless
Firewall Filter Dialog Box

    cCPE business customers can configure one stateless firewall filter per access link, which processes IPv4 packets flowing through the access link. Each stateless firewall filter requires you to configure the following components:

    Filter Direction

    The filter direction specifies the direction in which packets are examined. Possible values include:

    • input — Incoming packets are evaluated for a match.
    • output — Outgoing packets are evaluated for a match.
    • both — Incoming and outgoing packets are evaluated for a match.

    Terms

    A term is a named structure in which match conditions and actions are defined. You must specify at least one firewall filter term.

    You must specify a unique name for each term within a firewall filter. The term name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long.

    All stateless firewall filters must contain one or more terms, and each term consists of two components: match conditions and actions. The match conditions define the values or fields that the packet must contain to be considered a match. If a packet is a match, the corresponding action is taken. By default, a packet that does not match a firewall filter is discarded.

    The order in which you specify terms within a firewall filter configuration is important. Firewall filter terms are evaluated in the order in which they appear in the list. By default, new terms are always added to the end of the existing filter. You can reorder the terms in the Selfcare Portal by dragging and dropping them to create the desired order.

    Match Conditions

    Match conditions define the values or fields that the packet must contain to be considered a match. If a packet is a match, the corresponding action is taken. By default, a packet that does not match a firewall filter is discarded. If a packet arrives on an interface for which no firewall filter is applied for the incoming traffic on that interface, the packet is accepted by default.

    Firewall filter match conditions are specific to the type of traffic being filtered. All firewall filters configured using the Selfcare Port are IPv4 filters.

    For a complete list of firewall filter match conditions for IPv4 traffic, see Firewall Filter Match Conditions for IPv4 Traffic.

    If a packet arrives on an interface for which no firewall filter is applied for the incoming traffic on that interface, the packet is accepted by default.

    A term without a match condition matches all packets. If multiple conditions are defined in the same term, all conditions must be matched for the associated action to be performed. When a packet meets the conditions, the actions in the same term are executed. Some actions, such as accept, drop, or reject, cause the firewall filter to skip the rest of the terms.

    Actions

    Actions specify the actions to be taken on a packet that matches the term.

    Table 1 summarizes the types of actions you can specify in a firewall filter term.

    Table 1: Firewall Filter Action Categories and Actions

    Type of Action

    Action

    Comment

    Terminating

    Halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are used to examine the packet.

    You can specify only one terminating action in a firewall filter. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog.

    See Firewall Filter Terminating Actions.

    Nonterminating

    Performs other functions on a packet (such as incrementing a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet.

    See Firewall Filter Nonterminating Actions.

    Flow control

    For standard firewall filters only, the next term action directs the router (or switch) to perform configured actions on the packet and then, rather than terminate the filter, use the next term in the filter to evaluate the packet. If the next term action is included, the matching packet is evaluated against the next term in the firewall filter. Otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter.

    For example, when you configure a term with the nonterminating action count, the term’s action changes from an implicit discard to an implicit accept. The next term action forces the continued evaluation of the firewall filter.

    You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term.

    A maximum of 1024 next term actions are supported per standard firewall filter configuration. If you configure a standard firewall filter that exceeds this limit, your candidate configuration results in a commit error.

    Modified: 2015-11-09