Tcp Strict Tracking - Brocade Communications Systems 5600 vRouter Configuration Manual

By default, the vRouter firewall is stateless. If you want the firewall to operate stateless in general, you can configure state rules within a
specific rule set. Alternatively, you can configure the firewall globally to operate statefully.
Global state policies that are configured apply to all IPv4 and IPv6 traffic that is destined for, originating from, or traversing the router. In
addition, after they have been configured, global state policies override any state rules configured within the rule set.

TCP strict tracking

The TCP strict tracking of stateful firewall rules for traffic can be enabled by using
also enables the user to toggle between loose or strict stateful behaviors for TCP.
Stateful tracking must be enabled through either a state rule or global rule. When firewall is globally stateful, policies for established,
related, and invalid traffic must be defined.
Under the stateful policy, firewall tracks the state of network connections and traffic flows, and allows or restricts traffic based on whether
the connection state is known and authorized. For example, when an initiation flow is allowed in one direction, stateful firewall
automatically allows responder flows in the return direction.
The statefulness policy applies to all IPv4 and IPv6 traffic that is destined for, originating from, or traversing the router. In firewall, global
statefulness overrides any state rules configured within rule sets.
TCP strict tracking disabled—The firewall is stateless and the rules governing statefulness must be configured through the rule set.
TCP connections are validated by the following criteria:
Perform SEQ/ACK numbers check against boundaries. (Reference: Rooij G., "Real stateful TCP packet filtering in IP Filter," 10th USENIX
Security Symposium invited talk, Aug. 2001.)
The four boundaries are defined as follows:
∙
I) SEQ + LEN <= MAX {SND.ACK + MAX(SND.WIN, 1)}\
∙
II) SEQ >= MAX {SND.SEQ + SND.LEN - MAX(RCV.WIN, 1)}
∙
III) ACK <= MAX {RCV.SEQ + RCV.LEN}
∙
IV) ACK >= MAX {RCV.SEQ + RCV.LEN} - MAXACKWIN
TCP strict tracking enabled—The above validation is performed. In addition, the validation against the correct TCP sequencing of flags
(or validation of TCP stateful transitions) is also performed.
The following stateful transitions are invalid when a packet is received with the following flag pattern:
Forward flow:
SYN-ACK FLAG to SS, ES, FW, CW, LA, TW, CL FIN FLAG to SS, SR, S2 ACK FLAG to SS, S2
NOTE
S2 is an identical SYN sent from either side of the connection.
Reverse flow:
SYN FLAG to SR, ES, FW, CW, LA, TW, CL
FIN FLAG to SS, SR
Keys to the codes above are as follows:
vyatta@vyatta:~$ show session-table
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
TW - TIME WAIT, CL - CLOSE, LI - LISTEN
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01
security firewall tcp-strict on page 83. This command
Firewall Overview
15