mbox firewall overview
In computing, a firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted.
Similar to many commercial stateful firewall appliances, mbox utilizes sophisticated iptables engine built-into Linux kernel, together with some proprietary software to enforce strong perimeter defence for customer networks. The key functions of mbox firewalling capabilities are:
- stateful packet inspection
- access control
- IP address translation
There are a few key terminologies we need to understand as part of the configuration.
firewall-input. This is for permit/deny access to mbox services itself (eg. ssh, http)
firewall-access. This is for permit/deny traffic passing through mbox (eg. from inside to outside). There are two important behaviors of a firewall-access rules.
- when a packet reaches a firewall interface (either from inside or outside), the stateful firewall will check if the packet belongs to an existing session. if yes, it’s permitted automatically; if no, it will move on to check on the routing table, access rule, address translation rules etc etc.
- any packets not belong to an existing session, neither explicitly permitted by access rules, will be DROPPED
- firewall rules are checked in top-down sequence. once a rule is matched, it will not process further down to other rules. so it’s important to put more frequently used rules on the top for better performance.
firewall-dnat (change destination address of IP packet). This is typically for providing access from Internet to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access). There are two main scenarios:
- Static NAT. One outside public IP to one internal IP translation. Typically for DMZ servers.
- Port forwarding. One outside public IP but a few internal IP translations, but each internal host serves different applications (different protocol or port numbers).
firewall-snat (change source address of IP packets). This typically for providing access from inside/private network to Internet. mbox changes packet source header (address or port number) as it passes through mbox (typically for outbound access). Common implementation is also called Port Access Translation (PAT), which translates all internal hosts IP addresses to a single public IP (WAN interface IP addresses) but differentiate each connections by port numbers.
firewall-set (manipulate packet header fields). This is typically for QoS/traffic-shaping purpose by marking certain headers of the packet for further processing (by QoS rules or policy-based routing).
It is important to note that firewall-dnat/snat/set rules only change packet headers. In order for a packet to pass through mbox, it still has to be permitted by access rules. So firewall-dnat/snat/set rules must be used together with access rules.
Understand Firewall Order of Operation
Diagram below illustrates how a packet is treated when it comes in and out from mbox.