10.1. Firewall General¶
You can find the Firewall Rule Settings at Firewall → Rules.
10.1.1. Stateful vs Stateless¶
First a small excurse on what kind of firewall VT AIR is. VT AIR is a stateful firewall, it keeps track of open connections and also allows them without rechecking the firewall rules.
The definition of a stateful firewall is:
In computing, a stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. (Stateful Firewall)
The definition of a stateless firewall is:
Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for. (Stateful vs Stateless Firewalls)
10.1.2. Firewall Flow¶
To better understand firewall rules it is necessary to have a look at how the system processes the rules
In differnt stages the following operations are performed
- PREROUTING: DNAT
- FORWARD: Firewall Rules for forwarding traffic between interfaces
- INPUT: Firewall Rules if the destination is the firewall itself (e.g. DNS Server, WebGUI)
- OUTPUT: Firewall Rules if the firewall itself is the source (answer from DNS Server, WebGUI)
- POSTROUTING: SNAT
We will look into each option throughout this chapter.
OUTPUT is not filtered in VT AIR. The firewall itself can always send out everything.
10.1.3. Firewall Processing¶
In VT AIR, the Global Firewall Rules are processed before any Interface Rule. First match wins and order matters.
10.1.4. Flowtable Bypass¶
Fig.1: Netfilter hooks and flowtable interactions
We use a feature called flowtable bypass which speeds up the firewall processing by a factor of 2. It bypasses the network stack for established connections and directly forwards traffic from the input interface to the output interface. It only works with stateful connections (TCP/UDP) and is activated after the first package flow is established. If a long lived connection is used flowoffload will only be active for the time actual traffic is seen. The connection will revert to a normal state when there has not been any traffic for a few minutes. The same way it will be turned back to a flowoffload when there is new traffic detected.
It is disabled for firewall rules that have logging or a limiter enabled since those features are not compatible with the flowtable bypass.