Firewall Properties, Values, and Actions

This section provides more detailed descriptions of the properties, values, and actions used to build firewall rules.

Properties and Values

Properties specify a characteristic of a packet or firewall rule to be matched. In addition to specifying a property and a value, we specify the relationship between them to form a predicate that is either true or false. The following properties are recognized at this time.

Any - use this property to match any packet. This is convenient for grouping rules or attaching additional actions that don’t need to match any further conditions.

None - use this property to not match any packet.

Direction - use this property to specify the direction of network traffic. Inbound means from a network to the TCP/IP stack. Outbound means from the TCP/IP stack to a network.

Interface - use this property to match which networt port or data link a packet is traversing such as "en0" for Ethernet built-in. You can also match the "external" or "internal" attribute of the corresponding interface. It is common to treat packets arriving from an "external" interface differently from those traversing an "internal" interface. If you have more than one internal or external interface, it is easier to match this attribute than list all the corresponding network ports.

Include - use this property to search whether a packet matches information included within a dynamic state table such as the triggered address table, keep address table, authorize address table, or connection state table.

Source MAC Address - use this property to specify an Ethernet Hardware Address that matches the source MAC (Media Access Control) address in the link layer frame header. The hardware address of the attached Ethernet interfaces is listed for you under the value popup. You can list the hardware addresses of other hosts on your LAN using the Address Scan tool to perform a “Look Around” scan.

Destination MAC Address - use this property to specify an Ethernet Hardware Address that matches the destination MAC (Media Access Control) address in the link layer frame header. The hardware address of the attached Ethernet interfaces is listed for you under the value popup. You can list the hardware addresses of other hosts on your LAN using the Address Scan tool to perform a “Look Around” scan.

Source Net - use this property to specify a single IP address or network range that matches the source IP address of a packets IP header. Network ranges can be specified as address1-address2 or address/prefix_length. The directly attached networks are listed for you under the value popup.

Destination Net - use this property to specify a single IP address or network range that matches the destination IP address of a packets IP header Network ranges can be specified as address1-address2 or address/prefix_length. The directly attached networks are listed for you under the value popup.

Protocol - use this property to specify the protocol number that appears in a packets IP header. The protocol values for TCP, UDP, ICMP, and GRE are listed for you under the value popup.

Fragment Offset - use this property to specify the fragment offset that appears in a packets IP header. Typical values are listed for you under the value popup.

IP Options - use this property to specify the IP option numbers that appear in a packets IP header. Typical option values are listed for you under the value popup. Note the option name in parenthesis is ignored. You can list more than one option as a comma separated list. If the specified relation is equal, packets that contain all the listed options will match. If the specified relation is not equal, packets that contain none of the specified options will match.

ICMP Type - use this property to specify the ICMP type that appears in a packets ICMP header. Typical values are listed for you under the value popup.

ICMP Code - use this property to specify the ICMP code that appears in a packets ICMP header. Typical values are listed for you under the value popup.

TCP Header Flags - use this property to specify the TCP header flags that appear in a packets TCP header. Typical values are listed for you under the value popup. You can list more than one flag as a comma separated list. Flags preceded by a minus sign must be turned off in the TCP header. Flags listed without a minus sign must be turned on. Flags not listed can be either off or on. This property checks for protocol=TCP, so you don’t need to test this in a separate step.

TCP Options - use this property to specify the TCP option numbers that appear in a packets TCP header. Typical option values are listed for you under the value popup. Note the option name in parenthesis is ignored. You can list more than one option as a comma separated list. If the specified relation is equal, packets that contain all the listed options will match. If the specified relation is not equal, packets that contain none of the specified options will match. This property checks for protocol=TCP, so you don’t need to test this in a separate step.

Source Port - use this property to specify a single protocol port or range of protocol ports that matches the source port of a packets TCP or UDP header. Port ranges can be specified as port1-port2. Typical values are listed for you under the value popup.

Destination Port - use this property to specify a single protocol port or range of protocol ports that matches the destination port of a packets TCP or UDP header. Port ranges can be specified as port1-port2. Typical values are listed for you under the value popup.

Data Content - use this property to specify a string of characters you want to match within the TCP or UDP packet data. Typical values are shown for you under the value popup. By default, the first 64 bytes of data content will be examined. You can specify an optional search starting position (search offset), search length, and terminating character in square brackets as shown. If you precede the search offset by a plus (+) or minus (-) sign, it becomes a relative offset from the last position in this packet that was matched. For example, you could search for the string “Host:” from position 100-300 as “[100,200]Host:”, and then search for a URL that immediately follows containing xxx as “[+5,128,13]xxx”. xxx must appear within the next 128 characters following “Host:” up to the first carriage return (character code 13). If you specify relation “a=A”, matching is not case sensitive.

URL Keyword - use this property to search for keywords that appear within a HTTP (web site) URL. Some typical values are listed for you under the value popup. For example, you could specify “doubleclick.net” to block banner advertisements from this aggregator.

Time of Day - use this property to restrict or allow specified network traffic based on the time of day. Typical values are shown for you under the value popup. Notice all times are specified in 24-hour format.

Day of Week - use this property to restrict or allow specified network traffic based on the day of the week. Typical values are shown for you under the value popup.

Date and Time - use this property to restrict or allow specified network traffic up to a designated date and time A recent date and time is shown as an example under the value popup. Using this property, you can create temporary rules that expire at a specified time. For example, you might want to allow a guest to access your network for a limited time. By having the rule expire automatically, you don’t have to remember to remove it later.

Idle Seconds - use this property to notify you if a rule has not been matched for some specified interval. Notice this rule can be matched without a packet being present. Idle time is normally checked every 10 seconds. If the rule matches the idle time will be reset to zero so it can match periodically at the specified interval.

Parent Idle Seconds - use this property to notify you if the parent rule has not been matched for some specified interval. Notice this rule can be matched without a packet being present. We test the idle seconds of the parent rule that looks for specified traffic once every 10 seconds so this rule can be used to specify an idle interval. If the parent rule specifies the “Include” property, we test against the match count of the corresponding table entry if any.

Parent Match Count - use this property to notify you if the parent rule has been matched a specified number of times. We test the match count of the parent rule that looks for specified traffic so this rule can be used to specify the match count. If the parent rule specifies the “Include” property, we test against the match count of the corresponding table entry if any.

Parent Byte Count - use this property to notify you if the parent rule has been matched by network traffic containing a specified number bytes (amount of traffic). We test the byte count of the parent rule that looks for specified traffic so this rule can be used to specify the byte count.

Actions

Actions specify what action if any is to be taken when a firewall rule is matched. The following actions are supported at this time:

-> proceed to rule at the next level (child) if any.

Group begin a group of related rules.

Exit group skip to the end of the preceding Group.

Pass - allow this packet through without matching against other rules at the same or previous level. The Pass action is normally not logged.

Delete - delete this packet without matching against other rules at the same or previous level. The delete action is normally logged.

Reject - respond to this packet with a TCP RESET segment and then delete the original packet without matching against other rules at the same or previous level. The Reject action is normally logged. This action is intended to explicitly refuse connections. [Note: Reject should not be used on an interface that is set to promiscuous mode as it may refuse connections not addressed to this interface.]

Drop connection - drop the corresponding TCP connection to block access and clear the corresponding TCP connection state. For inbound packets, dropping the connections sends a TCP RESET to the local endpoint. For outbound packets, dropping the connection sends a TCP FIN segment as a response to the local endpoint and deletes the original packet. If the outbound packet is a web request, a “Blocked by IPNetSentry” page is displayed. The drop connection action is normally logged.

Keep Address - add the packets source IP address to the Keep Address table. Normally addresses remain in the Keep Address table for 1 hour or until pushed out by more recently used entries. You can examine or modify the Keep Address table using the “Triggered” tab view to examine entries of type “address”.

Authorize - add the packets source IP address to the Authorize address table. Normally addresses remain in the Authorize address table for 1 hour or until pushed out by more recently used entries. You can examine or modify the Authorize address table using the “Triggered” tab view to examine entries of type “authorize”.

Trigger - add the packets source IP address to the Triggered Address table and delete the original packet. Normally addresses remain in the Triggered Address table for 1 hour or until pushed out by more recently used entries. The Triggered Address table can hold up to 2000 entries. You can examine or modify the Triggered Address table and delete individual addresses using the “Triggered” tab view. The trigger action is normally logged.

Delay - hold this packet for approximately .75 seconds before delivering normally. This action can be used to ignore promiscuous resets from a hostile firewall. Some firewalls can send TCP RESET segments when denying access. If the interface running such a firewall is set to promiscuous mode, the firewall may send TCP RESET segments in response to connection requests that were not originally addressed to that host. The symptom is frequent “Connection refused” responses when trying to access remote servers. By delaying such TCP RESET segments, we allow the actual target of the connection request (if any) to respond first completing the connection process. When the RESET arrives, it will be safely ignored as out of order if the target host has already responded. The Delay Table can hold up to 30 packets at which point the firewall will simply log that the delay table is full. This prevents delayed packets from consuming vast amounts of kernel memory.

Rate Limit In/Out - allows you to specify the maximum bandwidth (bits/second) available to matching TCP/IP connections. The bandwidth is specified in the parameter field. You can use “K” or “M” immediately following a string of digits to specify Kilobytes or Megabytes as in “100K” or “1M”. IPNetSentryX provides TCP rate limiting (pacing) by adjusting the advertised window size of packets from corresponding matching connections. As packets match a Rate Limit rule, the corresponding connection table entry is set to point to that rule. When the connection table is aged, a tally of the active connections (that exceed a traffic threshold) is calculated for that rule and the available bandwidth is divided evenly among the corresponding connections. See Application Note 1006: Using Bandwidth Allocation for more information.

Route to - allows you to specify the IP address of the next hop router or gateway (must be on a directly attached IP subnet). Routing in TCP/IP is normally based on the destination IP address. The "Route to" action allows you to override this default behavior based on any packet attributes you select such as the protocol port or service (Email, Web, FTP, etc.).

Log - log this packet. Note the Log action does not prevent the packet from being matched against other rules at the same or previous levels. Subsequent rules may specify additional actions. You can choose the logging format in the Preferences window. The options are:

“Property List” which provides detailed packet information as a NeXT style property list that is easily parsed by other programs;

“Text” which provides detailed packet information in an easy to read form.

“Unix System Log (ipfw)” which follows the common Unix System Log format for compatibility with other unix utilities. This format can be used with Open Door Networks “Who’s There” firewall advisor.

Logged text is normally buffered in memory to avoid frequent disk access. Use the Preferences window to specify what should be done when the log buffer becomes full. Options include save to disk or send as E-mail.

Don’t log - mark this packet so it will not be logged by a subsequent leaf action such as delete. This action allows you to silently delete known unwanted packets. Any leaf action that would normally log a packet can be made silent by including this action as one of its parents or children. Notice that when a matching rule specifying a leaf action such as delete is encountered, any children of that rule will still be matched before the leaf action is performed. This allows you do specify multiple actions for a single condition. See Terminating and Multiple Actions under “IPNetSentryX Firewall Concepts.”

Alert - display an on-screen alert indicating which rule was matched (by number, name, and parameter).

E-mail - send an E-mail message with the corresponding log entry and subject “IPNetSentry Security Alert”. If the Parameter field contains an E-mail address, the message will be sent to that destination. Otherwise the message is sent to the log file destination specified in the Preferences window. This allows you to alert different administrators or take different actions based on what rule was matched. Many cell phones can be used as a pager by e-mailing a short message.

URL - try to invoke the URL specified in the parameter field. Currently this recognizes URLs of the form:

to invoke a network probe. Other URL schemes are passed on to Mac OS X’s launch services to be opened by an appropriate helper application.

In some cases, Launch Services may not be configured to launch the desired application. In this case, you can use the More Internet Pref panel <http://www.monkeyfood.com/software/moreInternet/> to examine or change the mapping of URL schemes to helper applications. Alternatively, you can examine ~/library/preferences/com.apple.LaunchServices.plist to remove the previous mapping and then launch the desired application to register a new one.

Reset Parent - reset the match count of the parent rule to zero. You can use this action to create rules that notify you only once each time a server goes quiet. Consider the following example:

Rules that test for server response
If (parent idle time > 2 minutes) URL“scan” to send a probe
if (parent idle time > 4 minutes) ->
if (parent match count == 1) send E-mail “server is down”
if (parent idleTime > 1 hour) reset parent
The first rule (and its ancestors) look for a specific server response. If the response has not been seen in over 2 minutes, send a network probe. The probe is repeated every 10 seconds when the idle time is checked until the first rule detects a server response. If there is still no response after 4 minutes (2 minutes of probing), proceed to the next child. If this is the first time the server failed to respond, send an E-mail reporting the server is down. Finally, if the server has been responding for over an hour (the 3rd rule is no longer being matched), reset the match count of the parent so we can be notified again if the server goes quiet.

AppleScript - execute an AppleScript to perform other notification actions. Use the Default AppleScript file specified in the preferences window, or a file in the same directory whose filename is specified in the Parameter field.


Previous | Next | Return to IPNetSentryX Help