User`s guide
483
The potential for a security breach has now been virtually eliminated because even if a
hacker could time his attack perfectly he would still have to forge a response packet using
the correct source address and port (which was randomly created by the sender of the HTTP
request) and also has to target the specific IP address that opened the connection.
Another advantage of “
inspect-state” rules is that they are scalable, i.e. many machines
can use the rule simultaneously. In our above example for instance many machines on the
local network could all browse the Internet and the inspection engine would be dynamically
creating precise inward filters as they are required and closing them when they are finished
with.
The
inspect-state option can be used on TCP, UDP protocols and some ICMP packets. The
ICMP types that can be used with the “
inspect-state” option are “echo”, “timest”, “inforeq”
and “
maskreq”.
Using [inspect-state] with Flags
As can be seen above, the inspect-state option can be used with flags. To illustrate this we
will refer back to the earlier example of filtering using flags. It is possible to simplify the
script by using the
inspect-state option. The original script was:
pass out break end from 10.1.2.33 port>1023 to any port=telnet
pass in break end from any port=telnet to 10.1.2.33 port>1023 flags a!
Using the inspect state option this can be replaced with a single filter rule:
pass out break end from 10.1.2.33 port>1023 to any port=telnet flags s!a inspect-state
No rule is needed for the return packets because a temporary filter will be created that will
only allow inbound packets to pass if they match sessions set up by this stateful inspection
rule.
A further point to note about the new rule is that the “
flags s!a” specification ensures that
it only matches the first packet in a connection. This is because the first packet in a TCP
connection has the SYN flag on and the ACK flag off and so we only match on that
combination. The stateful inspection engine will take care of matching the rest of the
packets for this connection.
Using [inspect-state] with ICMP
The [inspect-state] option can be also used with ICMP codes. To allow the use of echo
request and to allow echo replies you would have just the one rule:
pass out break end on ppp 0 proto icmp icmp-type echo inspect-state
The advantage of using inspect-state, other than just needing one rule, is that it leads to a
more secure firewall. For instance with the
inspect-state option the echo replies are not
allowed in all the time; they will only be allowed in once an echo request has been sent out
on that interface. The moment that a valid echo reply comes back (or there is a timeout),
echo replies will again be blocked. Furthermore, the full IP address is checked; the IP source
and destination must exactly match the IP destination and source of the echo request. If
you compare this to the rule to allow echo replies in without using
inspect-state it would
not be possible to check the source address at all and the destination address would match
any IP address on our network.