Digi TransPort WR31 User Manual page 708

Configure security settings
How stateful rules can improve firewall security
To better understand how to use stateful inspection, consider an example of setting up a filter to
allow all machines on a local network with addresses in the range 10.1.2.* to access the Internet on
port 80. This example requires one rule to filter the outgoing packets, and another to filter the
responses. The rules are:
pass out break end on ppp 0 from 10.1.2.0/24 to any port=80
pass in break end on ppp 0 from any port=80 to 10.1.2.0/24
In this example:
The first rule allows outgoing HTTP requests on PPP 0 from any address matching the mask
▪
10.1.2.* providing that the requests are on port 80 (the normal port address for HTTP requests).
The second rule allows HTTP response packets to be received on PPP 0 providing they are on
▪
port 80 and they are addressed to an IP address matching the mask 10.1.2.*.
However, rule 2 creates a potential security hole. The problem with filtering based on the source
port is that you can trust the source port only as much as you trust the source machine. For
example, an attacker could perform a port scan and provided the source port was set to 80 in each
packet, it would get through this filter. Alternatively, on an already compromised system, a Trojan
horse might be set up listening on port 80.
A more secure firewall can be defined using the inspect-state option. The stateful inspection
system intelligently creates and manages dynamic filter rules based on the type of connection and
the source/destination IP addresses. Applying this to the above example, we can redesign the script
to make it both simpler and more effective as described below.
Since only the first packet in a TCP handshake will have the SYN flag set, we can use a rule that
checks the SYN flag:
pass out break end on ppp 0 from 10.1.2.0/24 to any port=80 flags s
inspect-state
block in break end on ppp 0
The first rule matches only the first outgoing packet because it checks the status of the s (SYN) flag
and will only pass the packet if the SYN flag is set. At first glance, it appears that the second rule
blocks all inbound packets on PPP 0. While this may be inherently more secure, it also means users
on the network could not receive responses to their HTTP requests making the rule of little use.
The reason this is not a problem is that the stateful inspection system creates temporary filter rules
based on the outbound traffic. The first of these temporary rules allows the first response packet to
pass because it also will have the SYN flag set. However, once the connection is established, a
second temporary rule is created that passes inbound or outbound packets if the IP address and
port number match those of the initial rule but does not check the SYN flag. It does however
monitor the FIN flag so that the system can tell when the connection has been terminated. Once an
outbound packet with the FIN flag has been detected along with a FIN/ACK response, the temporary
rule ceases to exist and further packets on that IP address/port are blocked.
In the above example, if a local user on address 10.1.2.34 issues an HTTP request to a host on
100.12.2.9, the outward packet would match and be passed. At the same time a temporary filter
rule is automatically created by the firewall that will pass inbound packets from IP address
100.12.2.9 that are addressed to 10.2.1.34 port x (where x is the source port in the original request
from 10.1.2.34).
Using dynamic filters is more secure, because both the source and destination IP addresses/ports
are checked. In addition, the firewall automatically check that the router uses the correct flags for
each stage of the communication.
Digi TransPort WR Routers User Guide
Firewall
703