Firewall
264
8.3
The BAT Firewall
BAT54-Rail/F..
Release
7.54
06/08
U TCP connections
TCP connections cannot be tracked only by examination of the ports. With
some protocols (e.g. FTP, PPTP or H.323) examinations of the utilizable data
are necessary to open all later negotiated connections, and to accept only
those packets belonging really to the connections. This corresponds to a sim-
plified version of IP masquerading, but without addresses or ports to be re-
mapped here. It is sufficient to pursue the negotiation to open appropriate
ports, and link them with the main connection, so that these ports are closed
likewise with the closing of the main connection, and traffic on the secondary
connection keeping open also the main connection.
U ICMP connections
For ICMP two cases must be differentiated: The ICMP request/reply connec-
tions, like to be used with "ping", and the ICMP error messages, which can
be received as an answer to any IP packet.
ICMP request/reply connections can be clearly assigned to the identifier
used by the initiator, i.e. in the status database an entry will be provided with
the sending of an ICMP request, which lets through only ICMP replies with
the correct identifier. All other ICMP replies will get discarded silently.
In ICMP error messages, the IP header and the first 8 bytes of the IP packet
(on behalf UDP or TCP headers) can be found within the ICMP packet. With
the help of this information, the receipt of an ICMP error message triggers au-
tomatically the search for the accessory entry in the status database. The
packet passes only if such an entry exists, otherwise it is discarded silently.
Additionally, potentially dangerous ICMP error messages (redirect route) are
filtered out.
U Connections of other protocols
For all other protocols no related connections can be followed up, i.e. with
them only a connection between involved hosts can occur in the status data-
base. These can be initiated also only from one side, unless, in the port filter
Firewall exists a dedicated entry for the "opposite direction".
8.3.3 General settings of the Firewall
Apart from individual Firewall rules, which ensure the entries in the filter, con-
nection and block lists, some settings apply generally to the Firewall:
D Firewall/QoS enabled
D Administrator email (→ Page 265)
D Fragments (→ Page 265)
To Next Page
Loading...
