How the firewall inspects data packets

From the entire data stream passing through the IP router, the firewall filters out all data packets that have been targeted for special treatment.

The firewall only inspects the data packets that are routed by the IP router in the device. In general, these are data packets being exchanged between the internal networks (LAN, WLAN, DMZ) and the "outside world" via one of the WAN interfaces. Communication between the LAN and WLAN is not usually handled by the router, assuming that the LAN bridge allows a direct exchange. Thus the firewall rules do not apply here. The same applies to the so-called "internal services" such as Telnet, TFTP, SNMP and the web server for configuration via WEBconfig. The data packets for these services do not travel through the router and are therefore not affected by the firewall.

Note: As it is located behind the masquerading module (as seen from the WAN), the firewall works with the "real" internal IP addresses of the LAN stations and not with the external Internet address of the device.

The firewall in the device inspects the data packets using a number of lists, which are generated automatically from the firewall rules, the firewall actions triggered by them, or the active data connections:

Host blocking list
Port blocking list
Connection list
Filter list

When a data packet is to be routed via the IP router, the firewall uses the lists as follows:

The first check is, whether the packet has arrived from a workstation that is in the host block list. If the sender is blocked, the packet is dropped.
If the sender is not blocked, the port block list is checked to see whether the port/protocol combination used on the target computer is closed. In this case these packet is dropped.
If the sender and the destination are not blocked in the first two lists, a check is made as to whether this connection is entered in the connection list. If an entry exists, then the packet is treated as is noted in the list.
If no entry is found for the packet, the filter list is scanned for a suitable entry and the action indicated there is performed. If the action indicates that the packet is to be accepted, an entry is made in the connection list and any further actions are noted there.

Important: If there is no explicit firewall rule for a data packet, the packet is accepted (allow all). This ensures backwards compatibility with existing installations. To maximize protection by stateful inspection, please refer to the section Establishing an explicit "deny-all" strategy.

The four lists obtain their information as follows:

The host blocking list contains those stations that are blocked for a certain time due to a firewall event. This list is dynamic and new entries can be added continuously by corresponding firewall events; entries disappear automatically after the blocking time expires.
The port blocking list contains those protocols and services that are blocked for a certain time due to a firewall event. This list is also dynamic and new entries can be added continuously by corresponding firewall events; entries disappear automatically after the blocking time expires.
Established connections are entered into the connection list if the checked packet is accepted by the filter list. The connection list records the source and destination, the protocol, and the port that a connection is currently allowed to use. The list also indicates how long the entry remains in the list and which firewall rule generated the entry. This list is highly dynamic and always "on the move".
The filter list is generated from the rules in the firewall. The filters it contains are static and can only be changed when firewall rules are added, edited or deleted.

All lists used by the firewall to inspect the data packets are therefore ultimately based on the firewall rules (Parameters of the firewall rules).