Technical data

3. Base conﬁguration

State Meaning

INVALID The packet does not belong to a know connection.

ESTABLISHED The packet belongs to a connection, where packets have already

been transmitted in both directions.

NEW The packet has established a new connection or belongs to a con-

nection that did not have packets transmitted in both directions.

RELATED The packet establishes a new connection, but has a relation to

an already existing connection (i.e. ftp establishes a separate

connection for data transfer).

Table 3.7.: Packet State Constraints in Packet Filter Rules

States are deﬁned as follows: state:state(s). If you want to specify more than one state

they have to be separated by commas. I.e. to let packets pass that belong directly or indirectly

to established connections write state:ESTABLISHED,RELATED (this makes sense in INPUT- or

FORWARD-chain).

Constraints Based On The Frequency Of Actions

Under certain circumstances you may wish to restrict the frequency of actions, i.e. allow only

one ICMP-Echo request per second. This may be reached with limit-constraints, which look

like this: limit:Frequency:Burst. The frequency is speciﬁed as n/time units (second, minute,

hour, day), however, events may also occur in rapid succession (Burst). limit:3/minute:5

for example means that a maximum of three events per minute is allowed, but also ﬁve events

in rapid succession will be accepted.

3.10.3. Using Templates With The Packet Filter

To simplify dealing with the packet ﬁlter you may summarize rules frequently occuring in

templates. Thus, it is possible to provide a wide range of packet ﬁltering rules and combine

them in a collection with a symbolic name. Instead of directly using protocols and port

numbers, you may then use entries such as tmpl:ssh if you want to use the ssh protocol in a

rule. How to deal with templates is shown here using the example of ssh.

If you want to reach your ﬂi4l from the Internet via ssh, write into an entry in the array

variable PF_input_% the corresponding service name (here ssh) preceded by tmpl and the action

to apply for this service. Example:

PF_INPUT_2='tmpl:ssh ACCEPT'

tmpl: means that the rule should be based on a template. Specify the name of the service

after the ‘:’, adapted to our example hence ssh. At last you have to set an action to be bound

to the service. Since we want to acces the ﬂi4l over the internet, we allow the connection

with ACCEPT. Restrictions for IP-addresses or nets are not provided so the ssh-service will

be accessible on all interfaces from all networks. If you want to invoke further restrictions for

accessing the ssh-service you may use the packet ﬁlter notation already explained above.