EasyManua.ls Logo

Digi TransPort WR31 - Page 704

Digi TransPort WR31
866 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Configure security settings Firewall
Digi TransPort WR Routers User Guide 699
Filtering on TCP flags
An ip-object can be followed by an optional [flags] field.
[flags]
Filters based on any combination of TCP flags. The [flags] field specifies the flags to check and
consists of the flags keyword followed by a string specifying the flags themselves. Each letter in
this string represents a particular flag type as listed below:
These flag codes allow the filter to check any combination of flags.
Following on from the previous example, to block packets that have all the flags set you would need
to precede the pass rule with the following block rule:
block break end from any to 10.1.2.0/24 port=telnet flags frspua
Here, the list of flags causes the router to check that those flags are set. This list may be optionally
followed by an exclamation mark (!) and a second list of flags that the router should check for being
clear.
For example. the following [flags] field tests for the s flag being on and the a flag being off with all
other flags ignored.
flags s!a
As a further example, suppose we want to allow outward connections from a machine on 10.1.2.33
to a Telnet server. We have to define a filter rule to pass outbound connections and the inbound
response packets. Because this is an outbound Telnet service we can make use of the fact that all
incoming packets will have their ACK bits set. Only the first packet establishing the connection will
have the ACK bit off. The filter rules to do this would look like this:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags !a
The first rule allows the outward connections, and the second rule allows the response packets
back in which the ACK flag must always be on. This second rule will filter out any packets that do not
have the ACK flag on. This will bar any attackers from trying to open connections onto the private
network by simply specifying the source port as the Telnet port. Note that there is a simpler way to
achieve the same effect using the inspect state option, described below.
Code Flag
fFIN Flag
rRESET Flag
sSYN Flag
p PUSH Flag
uURG Flag
a ACK Flag

Table of Contents

Other manuals for Digi TransPort WR31

Preview: Quick Start Guide
Quick Start Guide2 pages

Related product manuals