User`s guide
482
The field can be used on its own or with an optional
oos (Out Of Service) parameter.
To understand this better let us look at a simple example in which we want to set up a filter
to allow all machines on a local network with addresses in the range 10.1.2.*, to access the
Internet on port 80. We will need one rule to filter the outgoing packets and another to filter
the responses:
pass out break end on ppp 0 from 10.1.2.0/24 to any port=80
pass in break end on ppp 0 from any port=80 to 10.1.2.0/24
In this example, the first rule allows outgoing http requests on PPP 0 from any address
matching the mask 10.1.2.* providing that the requests are on port 80 (the normal port
address for HTTP requests).
The second rule allows http response packets to be received on PPP 0 providing they are on
port 80 and they are addressed to an IP address matching the mask 10.1.2.*.
However, rule 2 creates a potential security “hole”. The problem with filtering based on the
source port is that you can trust the source port only as much as you trust the source
machine. For instance an attacker could perform a port scan and provided the source port
was set to 80 in each packet, it would get through this filter. Alternatively, on an already
compromised system, a “Trojan horse” might be set up listening on port 80.
A more secure firewall can be defined using the “inspect-state” option. The stateful
inspection system intelligently creates and manages dynamic filter rules based on the type
of connection and the source/destination IP addresses. Applying this to the above example,
we can redesign the script to make it both simpler and more effective as described below.
As a consequence of the fact that only the first packet in a TCP handshake will have the SYN
flag set, we can use a rule that checks the SYN flag:
pass out break end on ppp 0 from 10.1.2.0/24 to any port=80 flags s inspect-state
block in break end on ppp 0
The first rule matches only the first outgoing packet because it checks the status of the s
(SYN) flag and will only pass the packet if the SYN flag is set. At first glance however, it
appears that the second rule blocks all inbound packets on PPP 0. Whilst this may be
inherently more secure, it would also mean that users on the network would not be able to
receive responses to their HTTP requests and would therefore be of little use!
The reason that this is not a problem is that the stateful inspection system creates
temporary filter rules based on the outbound traffic. The first of these temporary rules
allows the first response packet to pass because it also will have the SYN flag set. However,
once the connection is established, a second temporary rule is created that passes inbound
or outbound packets if the IP address and port number match those of the initial rule but
does not check the SYN flag. It does however monitor the FIN flag so that the system can
tell when the connection has been terminated. Once an outbound packet with the FIN flag
has been detected along with a FIN/ACK response, the temporary rule ceases to exist and
further packets on that IP address/port are blocked.
In the above example, if a local user on address 10.1.2.34 issues an http request to a host
on 100.12.2.9, the outward packet would match and be passed. At the same time a
temporary filter rule is automatically created by the firewall that will pass inbound packets
from IP address 100.12.2.9 that are addressed to 10.2.1.34 port x (where x is the source
port used in the original request from 10.1.2.34).
This use of dynamic filters is more secure because both the source and destination IP
addresses/ports are checked. In addition, the firewall will automatically check that the
correct flags are being used for each stage of the communication.