User`s guide
480
As a further example, let us say we want to allow outward connections from a machine on
10.1.2.33 to a Telnet server. We have to define a filter rule to pass outbound connections
and the inbound response packets. Because this is an outbound Telnet service we can make
use of the fact that all incoming packets will have their ACK bits set. Only the first packet
establishing the connection will have the ACK bit off. The filter rules to do this would look
like this:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags !a
The first rule allows the outward connections, and the second rule allows the response
packets back in which the ACK flag must always be on. This second rule will filter out any
packets that do not have the ACK flag on. This will bar any attackers from trying to open
connections onto the private network by simply specifying the source port as the Telnet port
(note that there is a simpler way to achieve the same effect using the inspect state option
described below).
Filtering on ICMP Codes
An ip-object can be followed by an optional [icmp] field. This allows the script to filter
packets based on ICMP codes. ICMP packets are normally used to debug and diagnose a
network and can be extremely useful. However they form part of a low-level protocol and
are frequently exploited by hackers for attacking networks. For this reason most network
administrators will want to restrict the use of ICMP packets.
The syntax for including ICMP filtering is:
icmp = “icmp-type” icmp-type [“code” decnum]
The icmp-type can be one of the pre-defined strings listed in the following table or the
equivalent decimal numeric value:
ICMP Type
ICMP Value
Unreach 3
Echo 8
Echorep 0
Squench 4
Redir 5
Timex 11
Paramprob 12
Timest 13
Timestrep 14
Inforeq 15
Inforep 16
Maskreq 17
Maskrep 18
Routerad 9
Routersol 10