Understanding Match State in Firewall Rules
The Match State setting in firewall rules refers to the state of the connections that the rule will allow, reject, or drop. In your case, the selected states are Established and Related. Here’s an explanation of the available options:
New
- Refers to a brand-new connection that is being initiated.
- If selected, the rule applies to traffic attempting to establish a new connection.
Example: A device in the IoT network tries to start a new connection with a device in the LAN network.
Invalid
- Refers to traffic that doesn’t match any known connection or protocol state.
- Usually used to drop malformed packets or packets that cannot be tracked.
Example: A corrupted packet from the IoT network that doesn’t correspond to a valid connection.
Established
- Refers to traffic that is part of an already-established connection.
- This means the rule allows traffic to continue flowing for connections that were previously allowed.
Example: A device in the IoT network has an active session with a LAN device, and this rule permits the continuation of that session.
Related
- Refers to traffic that is related to an already-established connection but isn’t part of the same session.
- Used for protocols that require multiple connections, such as FTP or VoIP, where additional ports or sessions might be needed for the communication.
Example: An IoT device starts an FTP connection to a LAN device, and the FTP protocol opens additional related data channels.
Why Use Established and Related?
- By selecting Established and Related, the rule allows ongoing connections and any additional related traffic, but it does not allow new connections to be initiated.
- This approach enhances security by preventing unauthorized devices in the IoT network from initiating new connections to devices in the LAN network, while still allowing replies and related communication for connections that are already established by the LAN network.
If you want to enable new connections from IoT devices, you would also need to check the New option, but this could introduce security risks by allowing unrestricted communication initiation from less-secure IoT devices.