Services; Stateful Matching - Colubris Networks CN3000 Administrator's Manual

Chapter 11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Configuration parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Chapter 11
Note
• You can use the special setting 'any' (or leave a field blank) to match any address.
• You can prefix an address with the special symbol "!", which means not. For example,

Services

Select the service type this rule applies to. For your convenience, several popular
services have been predefined. To define a service not in the list, choose Other.
The available options will change depending on the service you choose.
Stateful Stateful matching is a powerful option that increases the security of the firewall and
makes it much easier to define rules. It works by tracking the state of each incoming and
matching
outgoing connection and applying the firewall rule in this context.
Connections have two states: New or Established. A connection changes from the New
to Established state after a reply packet passes through the firewall.
Although stateful matching options must be enabled on rule-by-rule basis, the firewall
always tracks the state of all connections.
New packet
Matches all packets that create new connections. For example, when used with TCP, it
would match all SYN packets.
Established packet
Matches packets that belong to an existing connection. For example, a reply packet or
an outgoing packet on a connection which has had replies.
Related packet
Matches packets that are related too, but not part of, an existing connection. For
example, ICMP errors or a packet establishing an FTP data connection. This option
makes it easy to open up the firewall for a particular connection type without specifying
a number of firewall rules to handle all the related traffic that might be associated with
the connection.
Invalid packet
Matches packets that could not be identified for some reason. For example, ICMP errors
that do not correspond to any known connection.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 255 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This can also be used for the mask.
the entry:
! 192.168.0.0
matches all traffic except traffic addressed to 192.168.0.0