Stateless Firewall Filter Overview

A stateless firewall filter evaluates the contents of packets transiting the device from a source to a destination, or packets originating from, or destined for, the Routing Engine. Stateless firewall filters applied to the Routing Engine interface protect the processes and resources owned by the Routing Engine. A stateless firewall filter evaluates every packet, including fragmented packets.

The primary goal of a typical stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets. You can configure a firewall filter to do the following:

Restrict traffic destined for the Routing Engine based on its source, protocol, and application.
Limit the traffic rate of packets destined for the Routing Engine to protect against flood, or denial-of-service (DoS), attacks.
Address special circumstances associated with fragmented packets destined for the Routing Engine. Because the device evaluates every packet against a firewall filter (including fragments), you must configure the filter to accommodate fragments that do not contain packet header information. Otherwise, the filter discards all but the first fragment of a fragmented packet.

You can apply a stateless firewall filter to an input or output interface, or to both. Every packet, including fragmented packets, is evaluated against stateless firewall filters.

Note: A stateless firewall filter, often called a firewall filter or access control list (ACL), statically evaluates packet contents. In contrast, a stateful firewall filter, or stateful firewall policy, uses connection state information derived from past communications and other applications to make dynamic control decisions.

Stateless Firewall Filter Overview

Related Topics