AWS network-firewall medium security documentation change
Summary
Clarified behavior of 'Drop established' to specify client-server direction and allow server-client return traffic. Updated protocol handling reference from Suricata to Network Firewall.
Security assessment
The change clarifies firewall behavior for established connections, explicitly allowing server-to-client return traffic. This impacts security configurations by preventing unintended blocking of legitimate return traffic while maintaining protection. The update provides more precise security control documentation.
Diff
diff --git a/network-firewall/latest/developerguide/suricata-rule-evaluation-order.md b/network-firewall/latest/developerguide/suricata-rule-evaluation-order.md index 49e2e31f2..e8c0e2794 100644 --- a//network-firewall/latest/developerguide/suricata-rule-evaluation-order.md +++ b//network-firewall/latest/developerguide/suricata-rule-evaluation-order.md @@ -71 +71 @@ _Choose none or one. You can't choose both._ - * **Drop established** – Drops only the packets that are in established connections. This allows the layer 3 and 4 connection establishment packets that are needed for the upper-layer connections to be established, while dropping the packets for connections that are already established. This allows application-layer _pass_ rules to be written in a default-deny setup without the need to write additional rules to allow the lower-layer handshaking parts of the underlying protocols. + * **Drop established** – Drops only the packets that are in established connections from client to server. This allows the layer 3 and 4 connection establishment packets that are needed for the upper-layer connections to be established, while dropping the packets for connections that are already established. This allows application-layer _pass_ rules to be written in a default-deny setup without the need to write additional rules to allow the lower-layer handshaking parts of the underlying protocols. Packets from established connections from the server to the client are passed to allow return traffic from established connections back to the client. @@ -75 +75 @@ Choose this option when using strict order for your own domain list rule groups -For other protocols, such as UDP, Suricata considers the connection established only after seeing traffic from both sides of the connection. For connectionless protocols, such as UDP and ICMP, the `drop` established action drops all packets. You must write specific rules to allow these packets as needed. +For other protocols, such as UDP, Network Firewall considers the connection established only after seeing traffic from both sides of the connection. For connectionless protocols, such as UDP and ICMP, the `drop` established action drops all packets. You must write specific rules to allow these packets as needed.