Westermo MR Series User Manual

403

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

would also mean that users on the network would not be able to receive responses to their HTTP
requests and would therefore be of little use!

The reason that this is not a problem is that the stateful inspection system creates temporary filter
rules based on the outbound traffic. The first of these temporary rules allows the first response
packet to pass because it also will have the SYN flag set. However, once the connection is estab-
lished, a second temporary rule is created that passes inbound or outbound packets if the IP
address and port number match those of the initial rule but does not check the SYN flag. It does
however monitor the FIN flag so that the system can tell when the connection has been terminated.
Once an outbound packet with the FIN flag has been detected along with a FIN/ACK response, the
temporary rule ceases to exist and further packets on that IP address/port are blocked.

In the above example, if a local user on address 10.1.2.34 issues an http request to a host on
100.12.2.9, the outward packet would match and be passed. At the same time a temporary fil-
ter rule is automatically created by the firewall that will pass inbound packets from IP address
100.12.2.9 that are addressed to 10.2.1.34 port x (where x is the source port used in the original
request from 10.1.2.34).

This use of dynamic filters is more secure because both the source and destination IP addresses/
ports are checked. In addition, the firewall will automatically check that the correct flags are being
used for each stage of the communication.

The potential for a security breach has now been virtually eliminated because even if a hacker could
time his attack perfectly he would still have to forge a response packet using the correct source
address and port (which was randomly created by the sender of the HTTP request) and also has to
target the specific IP address that opened the connection.

Another advantage of “inspect-state” rules is that they are scalable, i.e. many machines can use the
rule simultaneously. In our above example for instance many machines on the local network could
all browse the Internet and the inspection engine would be dynamically creating precise inward fil-
ters as they are required and closing them when they are finished with.

The inspect-state option can be used on TCP, UDP protocols and some ICMP packets. The ICMP
types that can be used with the “inspect-state” option are “echo”, “timest”, “inforeq” and “maskreq”.

Using [inspect-state] with Flags

15.8.1

As can be seen above, the inspect-state option can be used with flags. To illustrate this we will refer
back to the earlier example of filtering using flags. It is possible to simplify the script by using thein-
spect-state option. The original script was:

pass out break end from 10.1.2.33 port>1023 to any port=telnetpass

in break end from any port=telnet to 10.1.2.33 port>1023 flags a/a

Using the inspect state option this can be replaced with a single filter rule:

pass out break end from 10.1.2.33 port>1023 to any port=telnet

flags s/sa inspect-state

No rule is needed for the return packets because a temporary filter will be created that will only
allow inbound packets to pass if they match sessions set up by this stateful inspection rule.

A further point to note about the new rule is that the “flags s/sa” specification ensures that it
only matches the first packet in a connection. This is because the first packet in a TCP connection
has the SYN flag on and the ACK flag off and so we only match on that combination. The stateful
inspection engine will take care of matching the rest of the packets for this connection.

Using [inspect-state] with ICMP

15.8.2

The [inspect-state] option can be also used with ICMP codes. To allow the use of echo request and
to allow echo replies you would have just the one rule:

pass out break end on ppp 0 proto icmp icmp-type echo inspect-state

The advantage of using inspect-state, other than just needing one rule, is that it leads to a more
secure firewall. For instance with the inspect-state option the echo replies are not allowed in all
the time; they will only be allowed in once an echo request has been sent out on that interface.
The moment that a valid echo reply comes back (or there is a timeout), echo replies will again be
blocked. Furthermore, the full IP address is checked; the IP source and destination must exactly