Compatible Systems 5.4 User Manual
Page 199
Chapter 11 - TCP/IP Filtering
193
The est keyword allows a rule to be established in which an external
connection to a particular port is not allowed, but two way traffic estab-
lished by an internal machine will pass through the device.
The device performs this operation by examining the flags in the TCP
header. When a session is being established, the first packet only
contains the "SYN" flag while subsequent packets contain the "ACK"
flag. A permit packet filter rule using the est keyword will not match a
packet with only the "SYN" flag and the packet will be dropped. Unless
another rule allows it through, the "SYN" packet doesn’t reach its desti-
nation, no reply will be returned to the sender, and a connection will
never be established.
Examples using the est keyword are shown later in this chapter.
•
UDP
or UDP src <expression> <port>
or UDP dst <expression> <port>
This modifier allows filtering on UDP (User Datagram Protocol)
packets. A source or destination port may be filtered by including the
optional src and dst specifiers, followed by a logical expression and a
port (as described in the subsection above).
v Note: CompatiView uses UDP port 33020. Care should be taken not to
deny this port if CompatiView configuration is desired.
•
ICMP
or ICMP type <expression> <port>
This modifier allows filtering on ICMP (Internet Control Message
Protocol) packets. The ICMP type may be filtered by using the type spec-
ifier and the list of types from the subsection above.
•
GRE
This modifier allows filtering on GRE (Generic Routing Encapsulation)
packets. GRE provides a simple, general purpose mechanism to encap-
sulate network protocols into IP for the purpose of tunneling across the
Internet.
v Note: If VPN tunneling without authentication is enabled on an interface
to which an IP filter is applied, then the filter must specifically permit GRE
packets.
•
AH
This modifier allows filtering on AH (Authentication Header) packets.
AH is used for authentication of tunneled packets across the Internet.