Digi TransPort WR31 User Manual page 704
Hide thumbs
Also See for TransPort WR31:
- Technical support (26 pages) ,
- User manual (9 pages) ,
- Quick start manual (2 pages)
Table of Contents
Advertisement
Configure security settings
Filtering on TCP flags
An ip-object can be followed by an optional [flags] field.
[flags]
Filters based on any combination of TCP flags. The [flags] field specifies the flags to check and
consists of the flags keyword followed by a string specifying the flags themselves. Each letter in
this string represents a particular flag type as listed below:
Code
Flag
f
FIN Flag
r
RESET Flag
s
SYN Flag
p
PUSH Flag
u
URG Flag
a
ACK Flag
These flag codes allow the filter to check any combination of flags.
Following on from the previous example, to block packets that have all the flags set you would need
to precede the pass rule with the following block rule:
block break end from any to 10.1.2.0/24 port=telnet flags frspua
Here, the list of flags causes the router to check that those flags are set. This list may be optionally
followed by an exclamation mark (!) and a second list of flags that the router should check for being
clear.
For example. the following [flags] field tests for the s flag being on and the a flag being off with all
other flags ignored.
flags s!a
As a further example, suppose we want to allow outward connections from a machine on 10.1.2.33
to a Telnet server. We have to define a filter rule to pass outbound connections and the inbound
response packets. Because this is an outbound Telnet service we can make use of the fact that all
incoming packets will have their ACK bits set. Only the first packet establishing the connection will
have the ACK bit off. The filter rules to do this would look like this:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags !a
The first rule allows the outward connections, and the second rule allows the response packets
back in which the ACK flag must always be on. This second rule will filter out any packets that do not
have the ACK flag on. This will bar any attackers from trying to open connections onto the private
network by simply specifying the source port as the Telnet port. Note that there is a simpler way to
achieve the same effect using the inspect state option, described below.
Digi TransPort WR Routers User Guide
Firewall
699
- Quick Links:
- Transport Wr31
- Log in to the Device
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
