This is a concise description of the firewall in the Alcatel Speed Touch 510 ADSL modem-router. It does not say how to set up the firewall but I wrote the description to help my own understanding of how to use the rather detailed Alcatel CLI Reference Guide (http://www.speedtouch.com/support.htm).
A firewall is a gateway that controls access between two networks. Often this is between a private LAN and the public Internet (the WAN). The firewall only allows authorized traffic to pass. It may be an element in securing a network, but traffic that is allowed through by the firewall, and the applications that use that traffic, usually need to be subject to further security measures.
The ST510 firewall is a packet filter. That is, it blocks the passage of certain packets based on their headers. It is not stateful and so cannot connect its decisions directly with other packets or with other decisions. Hence the firewall examines every packet separately to determine whether or not to forward it toward its destination. If a packet is not accepted, it is either silently dropped, or it it is denied in a way that sends back an error message to the source to say that this has happened.
The packets passing through the router are examined at certain Packet Interception Points (PIPs). At every PIP it passes, a packet is checked against a series (a "chain") of firewall rules. When a rule matches the packet the packet may be accepted (and passed on); denied or dropped (which are final decisions); counted (checking then continues); or sent to another chain (and if that chain makes no decision checking continues down the current chain). If, finally, no rule matches the packet it is accepted anyway.
Each firewall rule compares data in the packet with rule parameters. The parameters allow checks on packets according to (i) source and destination interfaces; (ii) IP-related criteria such as protocol type, source and destination addresses; and (iii) protocol-specific TCP, UDP and ICMP criteria (e.g. source port, destination port and ICMP type).
If you enable the router's network address and port translation (NAPT), a packet passing through the router may have its IP addresses and port numbers changed. Firewall rules have to take this into account.
The following figure shows a model of the firewall:
The filled squares are the Packet Interception Points. The open circles are the NAPT modules. These and the other structures in the model are described below.
Note that there are no physical interfaces in the model. However, you may think of the router as comprising two instances of the model, mirror imaged left-to-right, connected between the WAN and LAN interfaces. One instance deals with WAN-to-LAN traffic and the other deals with LAN-to-WAN traffic.
This is the local host that runs the router's internal services: telnet, http and ftp servers, plus DNS and DHCP. It needs firewall protection as much as any other computer on the LAN.
The routing modules are responsible for the routing traffic inside the firewall.
There are five Packet Interception Points (also sometimes called hooks).
|
PIP |
Description |
|
Input |
The point through which all incoming traffic passes, whether from WAN or from LAN. At this point rules can determine whether a packet is allowed to proceed to the router, or to the local host. |
|
Sink |
The point through which all traffic passes intended for the local host. At this point rules can determine whether a packet is allowed to reach the router's internal services. |
|
Forward |
The point through which all traffic passes to be forwarded by the router. At this point rules can determine whether the router is allowed to handle (i.e. route) a packet. |
|
Source |
The point through which all traffic passes that is generated by the router's internal services. At this point rules can determine whether a packet is allowed to leave the local host. |
|
Output |
The point through which all outgoing traffic passes, destined for WAN or from LAN. At this point rules can determine whether a packet is allowed to leave the router. |
Note that the input PIP may receive packets from either of the physical interfaces (from the WAN or from the LAN). Similarly, the output PIP may send packets either to the WAN or to the LAN, and the forward PIP handles traffic in both directions.
These modules are responsible for the translation of IP addresses and TCP/UDP port numbers. They operate cooperatively in pairs whenever translation is enabled on a particular physical interface.
|
Module |
Description |
|
Dynamic NAPT module |
A dynamic NAPT module intercepts new connections going out through its interface, does address and port translation, sends out translated packets and sets up rules for its partner, a static NAPT module, to intercept and un-translate associated response traffic. |
|
Static NAPT module |
A static NAPT module intercepts responses associated with new connections set up through its partner dynamic NAPT module, un-translates address and port numbers and sends the packets on into the router. It also operates the static NAPT rules that the administrator sets up to permit specified non-associated traffic. |
When you set up translation on one physical interface (typically the WAN), the two NAPT modules that get enabled are those attached to that interface. The other two NAPT modules just pass packets through without modification. Thus each mirror-imaged instance of the model will typically have only one of its NAPT modules enabled. A dynamic NAPT module deals only with traffic going out on its own physical interface, and its static partner deals only with traffic coming in on the same interface.
When you set up firewall rules at a particular PIP, you may need to know whether the packets that pass through contain IP addresses and port numbers that are translated or not.
The information here is based on the description of the firewall in the Alcatel Speed Touch Pro + Firewall user guide. The author has adapted it to the Speed Touch 510 according to his understanding, and any errors and omissions are his fault. The author disclaims all responsibility for any consequences arising from the use of this document, to the extent permissible by applicable law.
John A. Phillips, 16th July 2002.