Zhone 2000 ユーザーガイド
A p p l i c a t i o n N o t e s
259
sents one of the possible flags that can be set in the TCP header.
The association is as follows:
The association is as follows:
F - FIN
S - SYN
R - RST
P – PUSH
A - ACK
U - URG
S - SYN
R - RST
P – PUSH
A - ACK
U - URG
The various flag symbols may be used in combination, so that "SA" would
represent a SYN-ACK combination present in a packet. There is nothing
preventing the specification of combinations, such as "SFR", that would not
normally be generated by law-abiding TCP implementations. However, to
guard against weird aberrations, it is necessary to state which flags you are
filtering against. To allow this, it is possible to set a mask indicating which
TCP flags you wish to compare (i.e., those you deem significant). This is
done by appending "/<flags>" to the set of TCP flags you wish to match
against, e.g.:
represent a SYN-ACK combination present in a packet. There is nothing
preventing the specification of combinations, such as "SFR", that would not
normally be generated by law-abiding TCP implementations. However, to
guard against weird aberrations, it is necessary to state which flags you are
filtering against. To allow this, it is possible to set a mask indicating which
TCP flags you wish to compare (i.e., those you deem significant). This is
done by appending "/<flags>" to the set of TCP flags you wish to match
against, e.g.:
flags S
becomes "flags S/AUPRFS" and will match packets with ONLY the
SYN flag set.
becomes "flags S/AUPRFS" and will match packets with ONLY the
SYN flag set.
flags SA
becomes "flags SA/AUPRFS" and will match any packet with only
the SYN and ACK flags set.
becomes "flags SA/AUPRFS" and will match any packet with only
the SYN and ACK flags set.
flags S/SA
will match any packet with just the SYN flag set out of the SYN-
ACK pair; the common "establish" keyword action. "S/SA" will
NOT match a packet with BOTH SYN and ACK set, but WILL
match "SFP".
will match any packet with just the SYN flag set out of the SYN-
ACK pair; the common "establish" keyword action. "S/SA" will
NOT match a packet with BOTH SYN and ACK set, but WILL
match "SFP".
icmp-type is only effective when used with proto icmp and must NOT be
used in conjunction with flags. There are a number of types, which
can be referred to by an abbreviation recognized by this language,
or the numbers with which they are associated can be used. The
most important from a security point of view is the ICMP redirect.
can be referred to by an abbreviation recognized by this language,
or the numbers with which they are associated can be used. The
most important from a security point of view is the ICMP redirect.
Keep History
The last parameter which can be set for a filter rule is whether or not to
record historical information for that packet, and what sort to keep. The
following information can be kept:
record historical information for that packet, and what sort to keep. The
following information can be kept:
state
keeps information about the flow of a communication session. State
can be kept for TCP, UDP, and ICMP packets.
frags
keeps information on fragmented packets, to be applied to later frag-
ments.