Limiting the ASPF/ALG Processing Range of Stun Protocol Traffic

Context

The FW allows you to use the CLI to configure whether to permit packets matching the STUN server map table.

Generating server map entries through ASPF/ALG has less restrictions on the 5-tuple session information. Some ports become available during packet forwarding, which causes security risks. Therefore, when the user-defined ASPF/ALG function is configured, the ACL rules for matching traffic shall be as accurate as possible. For packets that have server map entries created, although the FW does not perform security policy-based check on the packets, the forwarding of certain packets can be blocked through configuration.

This function applies only to STUN protocols, such as QQ, MSN, and user-defined protocols.

The following describes how to disable the communication between user 10.1.1.1 in the Trust zone and QQ in the Untrust zone.

Procedure

Enable the ASPF function for the QQ protocol in the interzone between the Trust zone and the Untrust zone.

<FW> system-view
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] detect qq
[FW-interzone-trust-untrust] quit

Create ACL rules.
```
[FW] acl 3000
[FW-acl-adv-3000] rule deny source 10.1.1.1 0
[FW-acl-adv-3000] quit
```
Strictly define the matching scope of ACL rules to filter packets matching the STUN server map table for more refined packet filtering control.

Traffic matching a rule with the action permit can be forwarded based on the server map table. Traffic matching a rule with the action deny, however, is discarded, even if the traffic matches the server map table.
Enable packet filtering based on the STUN server map table in the Trust-Untrust interzone.
```
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] aspf packet-filter 3000 outbound
```
This function is also supported in a zone. You can run the firewall zone [ name ] zone-name command to access the view of the zone and then enable packet filtering based on the STUN server map.