Chapter 11 - TCP/IP Filtering | 193 |
|
|
The est keyword allows a rule to be established in which an external connection to a particular port is not allowed, but two way traffic estab- lished by an internal machine will pass through the device.
The device performs this operation by examining the flags in the TCP header. When a session is being established, the first packet only contains the "SYN" flag while subsequent packets contain the "ACK" flag. A permit packet filter rule using the est keyword will not match a packet with only the "SYN" flag and the packet will be dropped. Unless another rule allows it through, the "SYN" packet doesn’t reach its desti- nation, no reply will be returned to the sender, and a connection will never be established.
Examples using the est keyword are shown later in this chapter.
•UDP
or UDP src <expression> <port> or UDP dst <expression> <port>
This modifier allows filtering on UDP (User Datagram Protocol) packets. A source or destination port may be filtered by including the optional src and dst specifiers, followed by a logical expression and a port (as described in the subsection above).
ϖNote: CompatiView uses UDP port 33020. Care should be taken not to deny this port if CompatiView configuration is desired.
•ICMP
or ICMP type <expression> <port>
This modifier allows filtering on ICMP (Internet Control Message Protocol) packets. The ICMP type may be filtered by using the type spec- ifier and the list of types from the subsection above.
•GRE
This modifier allows filtering on GRE (Generic Routing Encapsulation) packets. GRE provides a simple, general purpose mechanism to encap- sulate network protocols into IP for the purpose of tunneling across the Internet.
ϖNote: If VPN tunneling without authentication is enabled on an interface to which an IP filter is applied, then the filter must specifically permit GRE packets.
•AH
This modifier allows filtering on AH (Authentication Header) packets. AH is used for authentication of tunneled packets across the Internet.
