"Call filter" and "Data filter", firewall clarification wanted please

My new Draytek Vigor 2820n has what it calls "Call Filter" and "Data
Filter" in its firewall setup. The manual says:-

Call Filter - When there is no existing Internet connection, Call
Filter is applied to all traffic, all of which should be outgoing.
It will check packets according to the filter rules. If legal,
the packet will pass. Then the router shall “initiate a call�
to build the Internet connection and send the packet to Internet.

Data Filter - When there is an existing Internet connection, Data
Filter is applied to incoming and outgoing traffic. It will check
packets according to the filter rules. If legal, the packet will
pass the router.


I don't really follow the above, can anyone clarify or point me at a
fuller explanation somewhere please. In particular what does it mean
(in this context) by an "Internet connection"? Does it mean the state
of the ADSL connection - that doesn't really make sense because it's
always up unless something has gone wrong. Alternatively does it mean
a particular 'conversation' with a remote system - still doesn't make
much sense to me because (for example) UDP is stateless so there is no
concept of a connection, and why should only outgoing traffic be
allowed?

All in all I'm confused! :-)

I have set up the firewall quite successfully by setting up the Data
Filter with the rules I used for previous routers, that seems to have
produced the result I want. I have ignored the Call Filter.


--
Chris Green

(E-Mail Removed) wrote:
> My new Draytek Vigor 2820n has what it calls "Call Filter" and "Data
> Filter" in its firewall setup. The manual says:-

> Call Filter - When there is no existing Internet connection, Call
> Filter is applied to all traffic, all of which should be outgoing. It
> will check packets according to the filter rules. If legal, the packet
> will pass. Then the router shall “initiate a call� to build the
> Internet connection and send the packet to Internet.

This is for a situation where the router has not yet established the ADSL
connection to your ISP. It allows you to control which traffic should
initiate this connection. (Think of time-based charging such as ISDN,
or where there is a call setup charge and/or traffic costs are so high
that you don't want to establish a connection unnecessarily.)


> Data Filter - When there is an existing Internet connection, Data
> Filter is applied to incoming and outgoing traffic. It will check
> packets according to the filter rules. If legal, the packet will pass
> the router.

Once a connection has been made, you may not worry too much about what
data passes over the link. This ruleset allows you to determine what
traffic is allowed through the router.


> In particular what does it mean (in this context) by an "Internet
> connection"? Does it mean the state of the ADSL connection

Yes


> I have set up the firewall quite successfully by setting up the Data
> Filter with the rules I used for previous routers, that seems to have
> produced the result I want. I have ignored the Call Filter.

Sounds about right. Not that I have a Draytek, though (I'm basing my
answers on "old fashioned" ppp with dial-on-demand).

Chris

Chris Davies <chris-(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > My new Draytek Vigor 2820n has what it calls "Call Filter" and "Data
> > Filter" in its firewall setup. The manual says:-
>
> > Call Filter - When there is no existing Internet connection, Call
> > Filter is applied to all traffic, all of which should be outgoing. It
> > will check packets according to the filter rules. If legal, the packet
> > will pass. Then the router shall “initiate a call� to build the
> > Internet connection and send the packet to Internet.
>
> This is for a situation where the router has not yet established the ADSL
> connection to your ISP. It allows you to control which traffic should
> initiate this connection. (Think of time-based charging such as ISDN,
> or where there is a call setup charge and/or traffic costs are so high
> that you don't want to establish a connection unnecessarily.)
>
Ah, OK, it does mean what it says then. It's just rather strange in
the UK/ADSL situation where connections are nearly all "always on". I
think, as you say, it's probably mostly for ISDN and such (which some
varieties of the 2820 do support) where the router does initiate
connections on a frequent basis.
>
> > Data Filter - When there is an existing Internet connection, Data
> > Filter is applied to incoming and outgoing traffic. It will check
> > packets according to the filter rules. If legal, the packet will pass
> > the router.
>
> Once a connection has been made, you may not worry too much about what
> data passes over the link. This ruleset allows you to determine what
> traffic is allowed through the router.
>
Yes, my guess that it was this section where I should put my 'normal'
firewall rules seems to be working.

>
> > In particular what does it mean (in this context) by an "Internet
> > connection"? Does it mean the state of the ADSL connection
>
> Yes
>
>
> > I have set up the firewall quite successfully by setting up the Data
> > Filter with the rules I used for previous routers, that seems to have
> > produced the result I want. I have ignored the Call Filter.
>
> Sounds about right. Not that I have a Draytek, though (I'm basing my
> answers on "old fashioned" ppp with dial-on-demand).
>
Yes, as I said it seems to be doing what I want.

It's just that all previous ADSL routers I have set up (that's three
different ones) just had one set of firewall rules which, in the above
classification, would be "Data Filter". If the manual had made it
clear that the "Data Filter" was the one I should be doing things to
for an "always on" connection I'd have had no trouble.

Thanks for the help.

--
Chris Green