Table of Contents
Advertisement
Firewall configuration
This use of dynamic filters is more secure, because both the source and destination IP addresses/
ports are checked. In addition, the firewall will automatically check that the correct flags are being
used for each stage of the communication.
The potential for a security breach has now been virtually eliminated, because even if a hacker
could time his attack perfectly he would still have to forge a response packet using the correct
source address and port (which was randomly created by the sender of the HTTP request) and
also has to target the specific IP address that opened the connection.
Another advantage of inspect-state rules is that they are scalable, such as many machines can
use the rule simultaneously. In our above example, many machines on the local network could all
browse the Internet and the inspection engine would be dynamically creating precise inward
filters as they are required and closing them when they are finished with.
The inspect-state option can be used on TCP, UDP protocols and some ICMP packets. The ICMP
types that can be used with the inspect-state option are echo, timest, inforeq and maskreq.
Using [inspect-state] with Flags
As can be seen above, the inspect-state option can be used with flags. To illustrate this, we will
refer back to the earlier example of filtering using flags. It is possible to simplify the script by
using the inspect-state option. The original script was:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags a!
Using the inspect state option this can be replaced with a single filter rule:
pass out break end from 10.1.2.33 port>1023 to any port=telnet flags s!a inspect-state
No rule is needed for the return packets because a temporary filter will be created that will only
allow inbound packets to pass if they match sessions set up by this stateful inspection rule.
A further point to note about the new rule is that the flags s!a specification ensures that it only
matches the first packet in a connection. This is because the first packet in a TCP connection has
the SYN flag on and the ACK flag off, and so we only match on that combination. The stateful
inspection engine will take care of matching the rest of the packets for this connection.
Digi TransPort User Guide
670
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the transport and is the answer not in the manual?