Firewall configuration
Digi TransPort User Guide 669
How stateful rules can improve firewall security
To better understand how to use stateful inspection, consider a simple example of setting up a
filter to allow all machines on a local network with addresses in the range 10.1.2.* to access the
Internet on port 80. This example requires one rule to filter the outgoing packets, and another to
filter the responses. The rules are:
pass out break end on ppp 0 from 10.1.2.0/24 to any port=80
pass in break end on ppp 0 from any port=80 to 10.1.2.0/24
In this example
• The first rule allows outgoing HTTP requests on PPP 0 from any address matching the mask
10.1.2.* providing that the requests are on port 80 (the normal port address for HTTP
requests).
• The second rule allows HTTP response packets to be received on PPP 0 providing they are on
port 80 and they are addressed to an IP address matching the mask 10.1.2.*.
However, rule 2 creates a potential security hole. The problem with filtering based on the source
port is that you can trust the source port only as much as you trust the source machine. For
example, an attacker could perform a port scan and provided the source port was set to 80 in
each packet, it would get through this filter. Alternatively, on an already compromised system, a
Trojan horse might be set up listening on port 80.
A more secure firewall can be defined using the inspect-state option. The stateful inspection
system intelligently creates and manages dynamic filter rules based on the type of connection
and the source/destination IP addresses. Applying this to the above example, we can redesign
the script to make it both simpler and more effective as described below.
As a consequence of the fact that only the first packet in a TCP handshake will have the SYN flag
set, we can use a rule that checks the SYN flag:
pass out break end on ppp 0 from 10.1.2.0/24 to any port=80 flags s inspect-state
block in break end on ppp 0
The first rule matches only the first outgoing packet because it checks the status of the s (SYN)
flag and will only pass the packet if the SYN flag is set. At first glance however, it appears that the
second rule blocks all inbound packets on PPP 0. While this may be inherently more secure, it
also means users on the network could not receive responses to their HTTP requests making the
rule of little use.
The reason that this is not a problem is that the stateful inspection system creates temporary
filter rules based on the outbound traffic. The first of these temporary rules allows the first
response packet to pass because it also will have the SYN flag set. However, once the connection
is established, a second temporary rule is created that passes inbound or outbound packets if the
IP address and port number match those of the initial rule but does not check the SYN flag. It
does however monitor the FIN flag so that the system can tell when the connection has been
terminated. Once an outbound packet with the FIN flag has been detected along with a FIN/ACK
response, the temporary rule ceases to exist and further packets on that IP address/port are
blocked.
In the above example, if a local user on address 10.1.2.34 issues an HTTP request to a host on
100.12.2.9, the outward packet would match and be passed. At the same time a temporary filter
rule is automatically created by the firewall that will pass inbound packets from IP address
100.12.2.9 that are addressed to 10.2.1.34 port x (where x is the source port used in the original
request from 10.1.2.34).
To Next Page
Loading...
