Compatible Systems 5.4 User Manual

Chapter 11 - TCP/IP Filtering

193

The est keyword allows a rule to be established in which an external
connection to a particular port is not allowed, but two way traffic estab-
lished by an internal machine will pass through the device.

The device performs this operation by examining the flags in the TCP
header. When a session is being established, the first packet only
contains the "SYN" flag while subsequent packets contain the "ACK"
flag. A permit packet filter rule using the est keyword will not match a
packet with only the "SYN" flag and the packet will be dropped. Unless
another rule allows it through, the "SYN" packet doesn’t reach its desti-
nation, no reply will be returned to the sender, and a connection will
never be established.

Examples using the est keyword are shown later in this chapter.

•

UDP
or UDP src
or UDP dst
This modifier allows filtering on UDP (User Datagram Protocol)
packets. A source or destination port may be filtered by including the
optional src and dst specifiers, followed by a logical expression and a
port (as described in the subsection above).

v Note: CompatiView uses UDP port 33020. Care should be taken not to
deny this port if CompatiView configuration is desired.

•

ICMP
or ICMP type
This modifier allows filtering on ICMP (Internet Control Message
Protocol) packets. The ICMP type may be filtered by using the type spec-
ifier and the list of types from the subsection above.

•

GRE
This modifier allows filtering on GRE (Generic Routing Encapsulation)
packets. GRE provides a simple, general purpose mechanism to encap-
sulate network protocols into IP for the purpose of tunneling across the
Internet.

v Note: If VPN tunneling without authentication is enabled on an interface
to which an IP filter is applied, then the filter must specifically permit GRE
packets.

•

AH
This modifier allows filtering on AH (Authentication Header) packets.
AH is used for authentication of tunneled packets across the Internet.