A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.

RansNet router OS utilizes sophisticated iptables engine built-into Linux kernel, together with some proprietary software to enforce strong perimeter defense for customer networks. The key functions of RansNet firewalling capabilities are:

• • Access control. Deny/permit packets passing through your network.

  • IP address translation. Translate local private address while going out to public Internet, or permits inbound access (port forwarding) for certain internal resources.

  • Stateful packet inspection. A stateful firewall remembers active connections, so return traffic is allowed automatically without explicit permit rules.

There are a few type of firewall rules that we use to achieve different objectives.

firewall-input. This is for permit/deny access to mbox management services itself (eg. ssh, https). You can use firewall-input rules to restrict management access from authorized sources only.

firewall-access. This is for permit/deny traffic passing through mbox (eg. outbound from inside to outside, or inbound from outside to inside). There are two important behaviors of a firewall-access rules.

• • when a packet reaches a firewall interface (either from inside or outside), the stateful firewall will check if the packet belongs to an existing session. if yes, it’s permitted automatically; if no, it will move on to check on the routing table, access rule, address translation rules etc etc.

  • any packets not belong to an existing session, neither explicitly permitted by access rules, will be DROPPED

  • firewall rules are checked in top-down sequence. once a rule is matched, it will not process further down to other rules. so it’s important to put more frequently used rules on the top for better performance.

firewall-dnat (change destination address of IP packet). This is typically for providing access from Internet to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access). There are two main scenarios:

• • Static NAT. One outside public IP to one internal IP translation. Typically for DMZ servers.

  • Port forwarding. One outside public IP but a few internal IP translations, but each internal host serves different applications (different protocol or port numbers).

firewall-snat (change source address of IP packets). This typically for providing access from inside/private network to Internet. mbox changes packet source header (address or port number) as it passes through mbox (typically for outbound access). Common implementation is also called Port Access Translation (PAT), which translates all internal hosts IP addresses to a single public IP (WAN interface IP addresses) but differentiate each connections by port numbers.

firewall-set (manipulate packet header fields). This is typically for QoS/traffic-shaping purpose by marking certain headers of the packet for further processing (by QoS rules or policy-based routing).

NOTE: NAT rules only modify packet addresses — they do not bypass access control. You must define both NAT and access rules for traffic to be allowed.

Understand Firewall Order of Operation

Diagram below illustrates how a packet is treated when it comes in and out from mbox. 

NOTE: there's an implicit deny each type of RansNet firewall rules - anything not explicitly permitted will be denied. Only the explicitly permitted traffic will be routed to next operation, eg. traffic (defined by proto/src/dst etc etc) permitted by firewall-access will be routed to be processed by firewall-snat rules.