Chapter 7. Session Handling

Table of Contents

7.1. Routing vs. Firewalling
7.2. Session Tracking
7.2.1. Session termination
7.3. Session Rules
7.3.1. Overview
7.3.2. Processing flow
7.3.3. Defining Rule-Sets and Rules
7.3.3.1. Recommended method of implementing firewalling
7.3.3.2. Changes to session traffic
7.3.3.3. Obfuscation
7.3.3.4. Graphing and traffic shaping
7.3.3.5. Configuring session time-outs
7.3.3.6. Load balancing
7.3.3.7. Clashes
7.3.3.8. NAT-PMP / PCP (Port Control Protocol)
7.4. Network Address Translation
7.4.1. When to use NAT
7.4.2. NAT ALGs
7.4.3. Setting NAT in rules
7.4.4. What NAT does
7.4.5. NAT with PPPoE
7.4.6. NAT with other types of external routing
7.4.7. Mixing NAT and non NAT
7.4.8. Carrier grade NAT
7.4.9. Using NAT setting on subnets

This chapter describes sessions, session-tracking, and how the rules for session creation can be used to implement Firewalling, subject specific traffic flows to traffic-shaping, and perform address mapping techniques including conventional Network Address Translation (NAT).

Session-tracking is also involved in the route override functionality of the FB6000 - this is covered in Section 8.6.

7.1. Routing vs. Firewalling

A network router is a device whose role is to forward packets entering the device out onto an appropriate physical interface, based primarily, or solely, on the destination IP address of the packets. Typically the source address of each packet is not considered in the forwarding decision.

A firewall on the other hand is a device whose primary role is to filter traffic based on specified criteria. Since most network communication between two end-points is bi-directional, any such filtering must correctly handle the packets flowing in both directions that constitute a specific end-to-end 'flow' (for connection-less protocols, such as UDP) or 'connection' (for connection-orientated protocols, such as TCP).

In practice, a firewall appliance will have to make routing decisions too.