12.1. Firewall General

You can find the Firewall Rule Settings at Firewall → Rules.

12.1.1. Stateful vs Stateless

First a small excurse on what kind of firewall VT AIR is. VT AIR is a stateful firewall, it keeps track of open connections and also allows them without rechecking the firewall rules.

The definition of a stateful firewall is:

Note

In computing, a stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. (Stateful Firewall)

The definition of a stateless firewall is:

Note

Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for. (Stateful vs Stateless Firewalls)

12.1.2. Firewall Flow

To better understand firewall rules it is necessary to have a look at how the system processes the rules

Linux Network Flow

In differnt stages the following operations are performed

  • PREROUTING: DNAT
  • FORWARD: Firewall Rules for forwarding traffic between interfaces
  • INPUT: Firewall Rules if the destination is the firewall itself (e.g. DNS Server, WebGUI)
  • OUTPUT: Firewall Rules if the firewall itself is the source (answer from DNS Server, WebGUI)
  • POSTROUTING: SNAT

We will look into each option throughout this chapter.

OUTPUT is not filtered in VT AIR. The firewall itself can always send out everything.

12.1.3. Firewall Processing

In VT AIR, the Global Firewall Rules are processed before any Interface Rule. First match wins and order matters.

12.1.4. Flowtable Bypass

We use a feature called flowtable bypass which speedsup the firewall processing by a factor of 2. It bypasses the network stack for established connections and directly forwards traffic from the input interface to the output interface. It only works with stateful connections (TCP/UDP) and is activated after the first package flow is established. If a long lived connection is used flowoffload will only be active for the time actual traffic is seen. The connection will revert to a normal state when there has not been any traffic for a few minutes. The same way it will be turned back to a flowoffload when there is new traffic detected.

It is disabled for firewall rules that have logging or a limiter enabled since those features are not compatible with the flowtable bypass.