Zhone 2004 ユーザーガイド
C-10
2 0 0 0 - A 2 - G B 2 2 - 0 0
Multiple consecutive with clauses are allowed. Alternatively, the keyword
and may be used in place of with, this is provided purely to make the rules
more readable ("with ... and ..."). When multiple clauses are listed, all those
must match to cause a match of the rule.
and may be used in place of with, this is provided purely to make the rules
more readable ("with ... and ..."). When multiple clauses are listed, all those
must match to cause a match of the rule.
flags
is only effective for TCP filtering. Each of the letters possible repre-
sents one of the possible flags that can be set in the TCP header.
The association is as follows:
sents one of the possible flags that can be set in the TCP header.
The association is as follows:
F - FIN
S - SYN
R - RST
P – PUSH
A - ACK
U - URG
S - SYN
R - RST
P – PUSH
A - ACK
U - URG
The various flag symbols may be used in combination, so that "SA" would
represent a SYN-ACK combination present in a packet. There is nothing
preventing the specification of combinations, such as "SFR", that would not
normally be generated by law-abiding TCP implementations. However, to
guard against weird aberrations, it is necessary to state which flags you are
filtering against. To allow this, it is possible to set a mask indicating which
TCP flags you wish to compare (i.e., those you deem significant). This is
done by appending "/<flags>" to the set of TCP flags you wish to match
against, e.g.:
represent a SYN-ACK combination present in a packet. There is nothing
preventing the specification of combinations, such as "SFR", that would not
normally be generated by law-abiding TCP implementations. However, to
guard against weird aberrations, it is necessary to state which flags you are
filtering against. To allow this, it is possible to set a mask indicating which
TCP flags you wish to compare (i.e., those you deem significant). This is
done by appending "/<flags>" to the set of TCP flags you wish to match
against, e.g.:
flags S
becomes "flags S/AUPRFS" and will match packets with ONLY the
SYN flag set.
becomes "flags S/AUPRFS" and will match packets with ONLY the
SYN flag set.
flags SA
becomes "flags SA/AUPRFS" and will match any packet with only
the SYN and ACK flags set.
becomes "flags SA/AUPRFS" and will match any packet with only
the SYN and ACK flags set.
flags S/SA
will match any packet with just the SYN flag set out of the SYN-
ACK pair; the common "establish" keyword action. "S/SA" will
NOT match a packet with BOTH SYN and ACK set, but WILL
match "SFP".
will match any packet with just the SYN flag set out of the SYN-
ACK pair; the common "establish" keyword action. "S/SA" will
NOT match a packet with BOTH SYN and ACK set, but WILL
match "SFP".
icmp-type
is only effective when used with proto icmp and must NOT be
used in conjunction with flags. There are a number of types, which
can be referred to by an abbreviation recognized by this language,
or the numbers with which they are associated can be used. The
most important from a security point of view is the ICMP redirect.
used in conjunction with flags. There are a number of types, which
can be referred to by an abbreviation recognized by this language,
or the numbers with which they are associated can be used. The
most important from a security point of view is the ICMP redirect.
Keep History
The last parameter which can be set for a filter rule is whether or not to
record historical information for that packet, and what sort to keep. The
following information can be kept:
record historical information for that packet, and what sort to keep. The
following information can be kept: