Filter
Top Products
72
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
If you placed the more general Block Rule higher than the more specific Permit Rule,
Host Intrusion Prevention would match the HTTP request from 10.10.10.1 against the
Block Rule before it found the exception. It would block the traffic, even though you
really wanted to allow HTTP requests from this address.
How stateful filtering works
Stateful filtering involves processing a packet against two rule sets, a configurable
firewall rule set and a dynamic firewall rule set or state table.
The configurable rules have two possible actions:
Allow--the packet is permitted and an entry is made in the state table.
Block--the packet is blocked and no entry is made in the state table.
The state table entries result from network activity and reflect the state of the network
stack. Each rule in the state table has only one action:
Allow, so any packet matched to
a rule in the state table is automatically permitted.
The filtering process includes these steps:
1 The firewall compares an incoming packet against entries in the state table. If the
packet matches any entry in the table, the packet is immediately allowed. If not, the
configurable firewall rules list is examined.
2 If the packet matches an allow rule, it is allowed and an entry is created in the state
table.
3 If the packet matches a block rule, it is blocked.
4 If the packet does not match any configurable rule, it is blocked.
Note
A state table entry is considered a match if the Protocol, Local Address, Local Port,
Remote Address and Remote Port match those of the packet.
Figure 5-2 Stateful filtering process