The Firewall enters all actual permitted connections into the connection list. Entries disappear automatically from the connection list after a certain time (timeout), when no data has been transmitted over this connection any more re-triggering the timeout.
Sometimes connections are ended according to the general TCP aging settings, before data packets requested by an inquiry have been received by the remote station. In this case perhaps an entry for a permitted connection still exists in the connection list, but the connection itself is no more existing.
The parameter “Session recovery” determines the behavior of the Firewall for packets that indicate a former connection:
- Always denied: The Firewall re-establishes the session under no circumstances and discards the packet.
- Denied for default route: The Firewall re-establishes the session only if the packet wasn’t received via the default route (e.g. Internet).
- Denied for WAN: The Firewall re-establishes the session only if the packet wasn’t received over one of the WAN interfaces.
- Always allowed: The Firewall re-establishes the connection
in principle if the packet belongs to a former connection of the connection
list.Note: The function of the virtual routers is based on the analysis of the interface-tag, that is why in addition to the untagged default routes, as well other routes are included as default routes:
- When a packet is received at a WAN interface, then the WAN interface
is considered by the firewall to be a default route if either a tagged
or an untagged default route refers to this WAN interface.
- If a packet is received at a LAN interface and is to be routed to a WAN interface, then this WAN interface is considered to be a default route if either the untagged default route or if a default route tagged with the interface tag refers to this WAN interface.
Default route filter are as well effective if the default route is in the LAN. Here it applies that the filter takes effect when:
- A packet was received over a tagged LAN interface and is to be sent
over a default route tagged with the interface, or
- A packet from another router was received at a tagged LAN interface and there is a default route with the interface tag to the packet's source address, or
- A packet was received from the WAN and is to be sent to the LAN via a default route with any tag