ACL based packet-filter
An ACL packet-filter implements IP packet specific filtering.
Before an IP packet can be forwarded, the firewall obtains the header information of the packet, including the following:
Number of the upper layer protocol carried by the IP layer
Source address
Destination address
Source port number
Destination port number
The firewall compares the head information against the preset ACL rules and processes the packet based on the comparison result.
Support for fragment filtering
An ACL based packet-filter firewall supports fragment inspection and filtering by checking packet type, Layer 3 information, and upper layer information:
Packet type—Non-fragmented packet, first fragment, or non-first fragment.
Layer 3 information of the packet—Checked against basic ACL rules, and advanced ACL rules without information above Layer 3.
Upper layer Information—Checked against advanced ACL rules containing information above Layer 3.
The information of Layer 3 and above carried in each first fragment is recorded by packet-filter firewalls that are configured with advanced ACL rules providing for exact match. When subsequent fragments arrive, the firewall uses saved information to implement exact match with each match condition of an ACL rule. For more information about ACL, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide.
Exact match slightly decreases the efficiency of packet filtering. The more the match items, the lower the packet filtering efficiency. You can specify a threshold to limit the maximum number of match entries to be processed by the firewall.
ACL packet-filter limitations
An ACL packet-filter is a static firewall. It cannot solve the following issues:
For multi-channel application layer protocols, such as FTP and H.323, the values of some security policy parameters are unpredictable.
Some attacks from the transport layer and application layer, such as TCP SYN flooding and malicious Java applets, cannot be detected.
ICMP attacks cannot be prevented because not all faked ICMP error messages from the network can be recognized.
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a network, the non-SYN packets of existing TCP connections passing the firewall for the first time are dropped, breaking the existing TCP connections.