Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
111112113114115116117118119120
114 Chapter 5
Security Techniques
Writing a Stanza - TCP Examples
Writing a Stanza - TCP Examples
To open a TCP data stream, the initiator sends a packet to the intended
recipient. The SYN bit (with no ACK bit) is set in the TCP header to
show a TCP connection request. The special keyword ‘syn’ matches
packets that have the SYN bit set, but no ACK bit set. This allows you to
filter or log packets that start connections.
The TCP protocol requires more than a single SYN packet for a TCP
connection to work. This means you cannot enable TCP connections with
a single ‘syn’ rule.
Two Approaches to Filtering TCP connections
There are two approaches to filtering TCP connections. The first
approach is to block ‘syn’ packets that you do not want to establish a
service, while permitting all other packets for the service.
Example:
!telnet/syn/recv # block inbound telnet connection requests
telnet # permit all other telnet packets
The second approach is to permit the ‘syn’ packets you do want to
establish a connection, followed by permitting any other non-SYN
packets. The opposite of using the ‘syn’ keyword is the ‘estab’ keyword.
‘estab’ describes any TCP packet that does not have the SYN bit set or
that has both the SYN and ACK bits set in the TCP header.
Example:
telnet/syn/send # permit outbound telnet connection requests
telnet/estab # permit packets to established connections
Identifying Rulesets with Hostnames and
Addresses
The first line of a ruleset must contain a hostname, IP address, or
‘default’ that identifies the interface you wish to use the ruleset. For
pppd, use the peer, or remote, IP address. This hostname or IP address
must not be indented because the name/address will be assumed to be
part of a rule and may or may not cause a syntax error.