Installing and Administering PPP
102 Chapter 5
Security Techniques
Building a Stanza - Specifics
Keywords Based on TCP Packet Header Bits
Only one TCP field can be specified in a rule; specifying more in the same
rule is a syntax error.
Some qualifiers (keywords) may only be used in combination with other
qualifiers. For example, ‘syn’, ‘fin’, ‘rst’, ‘ack’ and ‘estab’ are options or
fields in TCP packet headers and may only be used when the qualifier
‘tcp’, is directly stated in the rule or implied by a TCP protocol service. If
the definition of a service allows it to use TCP and UDP packets the ‘tcp’
qualifier must be explicitly added to the service name in the rule. After
migration, a dialout PPP connection is defined by:
Example:
tcp/syn/recv # block inbound TCP connection requests
smtp/syn # permit SMTP (25/tcp) connection requests
domain/tcp/syn # permit DNS (port 53) TCP connection requests
‘syn’ Qualifying Keyword
A rule that qualifies a session with ‘recv’ or ‘send’ prevents the session
from being started or logged unless it is initiated in the indicated
direction. The initiator sends a SYN packet to the recipient to open a
TCP data stream. This permits the filter to distinguish between
outbound and inbound uses of TCP applications such as telnet or FTP.
The special keyword ‘syn’ allows you to filter or log these connection
starters. Unlike most other qualifiers, ‘syn’ is actually a compound
qualifier that tests for just the initial packet, which has a SYN bit set but
not the ACK bit.
Using Other Keywords Based on TCP Packet Header
Fields
• The special keyword ‘estab’ identifies any TCP packet that does not
have the SYN bit set. ‘estab’ is to ‘existing’ as ‘syn’ is to ‘beginning’.
• The special keyword ‘ack’ allows you to filter or log the packets that
have the ACK bit set.
• The special keyword ‘rst’ allows you to filter or log the packets that
reset TCP connections.
• The special keyword ‘fin’ allows you to filter or log the packets that
close TCP connections.