Keep history – Verilink 8100A (34-00237) Product Manual User Manual
Page 303
A p p l i c a t i o n s N o t e s
D-11
sents one of the possible flags that can be set in the TCP header.
The association is as follows:
F - FIN
S - SYN
R - RST
P – PUSH
A - ACK
U - URG
The various flag symbols may be used in combination, so that "SA" would
represent a SYN-ACK combination present in a packet. There is nothing
preventing the specification of combinations, such as "SFR", that would not
normally be generated by law-abiding TCP implementations. However, to
guard against weird aberrations, it is necessary to state which flags you are
filtering against. To allow this, it is possible to set a mask indicating which
TCP flags you wish to compare (i.e., those you deem significant). This is
done by appending "/<flags>" to the set of TCP flags you wish to match
against, e.g.:
flags S
becomes "flags S/AUPRFS" and will match packets with ONLY the
SYN flag set.
flags SA
becomes "flags SA/AUPRFS" and will match any packet with only
the SYN and ACK flags set.
flags S/SA
will match any packet with just the SYN flag set out of the SYN-
ACK pair; the common "establish" keyword action. "S/SA" will
NOT match a packet with BOTH SYN and ACK set, but WILL
match "SFP".
icmp-type
is only effective when used with proto icmp and must NOT be
used in conjunction with flags. There are a number of types, which
can be referred to by an abbreviation recognized by this language,
or the numbers with which they are associated can be used. The
most important from a security point of view is the ICMP redirect.
Keep History
The last parameter which can be set for a filter rule is whether or not to
record historical information for that packet, and what sort to keep. The
following information can be kept:
state
keeps information about the flow of a communication session. State
can be kept for TCP, UDP, and ICMP packets.
frags
keeps information on fragmented packets, to be applied to later frag-
ments.