Firewall configuration
Digi TransPort User Guide 665
Filtering on TCP flags
An ip-object can be followed by an optional [flags] field.
[flags]
Allows the script to filter based on any combination of TCP flags. The [flags] field is used to
specify the flags to check and consists of the flags keyword followed by a string specifying the
flags themselves. Each letter in this string represents a particular flag type as listed below:
These flag codes allow the filter to check any combination of flags.
Following on from the previous example, to block packets that have all the flags set you would
need to precede the pass rule with the following block rule:
block break end from any to 10.1.2.0/24 port=telnet flags frspua
Here, the list of flags causes the router to check that those flags are set. This list may be
optionally followed by an exclamation mark (!) and a second list of flags that the router should
check for being clear.
For example. the following [flags] field tests for the s flag being on and the a flag being off with
all other flags ignored.
flags s!a
As a further example, suppose we want to allow outward connections from a machine on
10.1.2.33 to a Telnet server. We have to define a filter rule to pass outbound connections and the
inbound response packets. Because this is an outbound Telnet service we can make use of the
fact that all incoming packets will have their ACK bits set. Only the first packet establishing the
connection will have the ACK bit off. The filter rules to do this would look like this:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags !a
The first rule allows the outward connections, and the second rule allows the response packets
back in which the ACK flag must always be on. This second rule will filter out any packets that do
not have the ACK flag on. This will bar any attackers from trying to open connections onto the
private network by simply specifying the source port as the Telnet port. Note that there is a
simpler way to achieve the same effect using the inspect state option, described below.
Code Flag
fFIN Flag
r RESET Flag
sSYN Flag
pPUSH Flag
uURG Flag
aACK Flag
To Next Page
Loading...
