By default, the vRouter firewall is stateless. If you want the firewall to operate stateless in general, you can configure state rules within a
specific rule set. Alternatively, you can configure the firewall globally to operate statefully.
Global state policies that are configured apply to all IPv4 and IPv6 traffic that is destined for, originating from, or traversing the router. In
addition, after they have been configured, global state policies override any state rules configured within the rule set.
TCP strict tracking
The TCP strict tracking of stateful firewall rules for traffic can be enabled by using
on page 83. This command
also enables the user to toggle between loose or strict stateful behaviors for TCP.
Stateful tracking must be enabled through either a state rule or global rule. When firewall is globally stateful, policies for established,
related, and invalid traffic must be defined.
Under the stateful policy, firewall tracks the state of network connections and traffic flows, and allows or restricts traffic based on whether
the connection state is known and authorized. For example, when an initiation flow is allowed in one direction, stateful firewall
automatically allows responder flows in the return direction.
The statefulness policy applies to all IPv4 and IPv6 traffic that is destined for, originating from, or traversing the router. In firewall, global
statefulness overrides any state rules configured within rule sets.
TCP strict tracking disabled—The firewall is stateless and the rules governing statefulness must be configured through the rule set.
TCP connections are validated by the following criteria:
Perform SEQ/ACK numbers check against boundaries. (Reference: Rooij G., “Real stateful TCP packet filtering in IP Filter,” 10th USENIX
Security Symposium invited talk, Aug. 2001.)
The four boundaries are defined as follows:
∙
I) SEQ + LEN <= MAX {SND.ACK + MAX(SND.WIN, 1)}\
∙
II) SEQ >= MAX {SND.SEQ + SND.LEN - MAX(RCV.WIN, 1)}
∙
III) ACK <= MAX {RCV.SEQ + RCV.LEN}
∙
IV) ACK >= MAX {RCV.SEQ + RCV.LEN} - MAXACKWIN
TCP strict tracking enabled—The above validation is performed. In addition, the validation against the correct TCP sequencing of flags
(or validation of TCP stateful transitions) is also performed.
The following stateful transitions are invalid when a packet is received with the following flag pattern:
Forward flow:
SYN-ACK FLAG to SS, ES, FW, CW, LA, TW, CL FIN FLAG to SS, SR, S2 ACK FLAG to SS, S2
NOTE
S2 is an identical SYN sent from either side of the connection.
Reverse flow:
SYN FLAG to SR, ES, FW, CW, LA, TW, CL
FIN FLAG to SS, SR
Keys to the codes above are as follows:
vyatta@vyatta:~$ show session-table
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
TW - TIME WAIT, CL - CLOSE, LI - LISTEN
Firewall Overview
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01
15
Содержание 5600 vRouter
Страница 6: ...Brocade 5600 vRouter Firewall Configuration Guide 6 53 1004253 01 ...
Страница 10: ...Preface Brocade 5600 vRouter Firewall Configuration Guide 10 53 1004253 01 ...
Страница 12: ...About This Guide Brocade 5600 vRouter Firewall Configuration Guide 12 53 1004253 01 ...
Страница 20: ...Firewall Overview Brocade 5600 vRouter Firewall Configuration Guide 20 53 1004253 01 ...
Страница 96: ...Zone Based Firewall Commands Brocade 5600 vRouter Firewall Configuration Guide 96 53 1004253 01 ...
Страница 100: ...ICMPv6 Types Brocade 5600 vRouter Firewall Configuration Guide 100 53 1004253 01 ...