No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Packet Filtering Firewall

Packet Filtering Firewall

A packet filtering firewall uses access control lists (ACLs) to filter packets based on the upper-layer protocol ID, source and destination IP addresses, source and destination port numbers, and packet transmission direction.

When receiving an IP datagram, the firewall obtains the packet header, and then compares the packet header information with ACL rules to determine whether to forward or discard the IP datagram. Figure 6-2 shows how packet filtering is implemented on the firewall.

Figure 6-2  Packet filtering firewall

Packet Filtering Firewall on the Device

The device supports packet filtering firewall and can filter the following packets:
  • Common IP packets: The firewall checks the source and destination IP addresses, source and destination port numbers, and protocol IDs of IP packets against an ACL. It forwards the packets permitted by the ACL and discards the packets denied by the ACL. The information that the firewall checks is contained in the IP, TCP, or UDP header.
  • Fragment packets: The firewall can identify the packet types, including non-fragment packets, initial fragment packets, and non-initial fragment packets.

    When receiving the initial fragment of a packet, the firewall compares Layer 3 and Layer 4 information of the initial fragment with the ACL. If the fragment is permitted by the ACL, the firewall records information about this fragment and creates a matching table for the following fragments. When the following fragments arrive, the firewall directly forwards them according to the matching table.

    In addition, the firewall has a default method to process the packets that do not match the ACL. The default method can be set by users.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 137562

Downloads: 248

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next