Header Only - DO NOT REMOVE - Extreme Networks

Permit Established with ACLs


Userlevel 4
Create Date: Jul 10 2012 3:50AM

On Extremeware, the ACLs used to have an option to "permit established" actually this was a complete misnomer because what t did was "deny not established" but anyway, I can't find an equivalent in the XOS policy file configuration. Do I have to hand-craft this, or is there a ready-made option?

I'm thinking I could permit any packet with the ACK bit set to allow established packets through or I could deny SYN but no ACK to prevent a socket being set up. Actually they are kind of the same when I think about it.

The problem is I also can't see how to do a bitwise test on the TCP flags i.e. a test on just one bit in the first case or a test on two bits in the second case, but masking off just those bits.

Any ideas? (from David_Rickard)

4 replies

Userlevel 4
Create Date: Jul 10 2012 5:22AM

entry ackrst {

if { protocol tcp; TCP-Flags 0x14;}

then { count ackrst;}

}

Closest I could get to bitwise. That will watch for ACKRST.

(from Richard_Porter)
Userlevel 4
Create Date: Jul 10 2012 5:37AM

Hi Richard.

That's kind of my question. Is that not testing the state of the byte i.e. the byte value is 0x14 so if another unrelated bit is set, it would fail to match?

In order to detect established connections, I need to test the ACK bit but I don't care what the other bits are doing. As the TCP flags test is designed to test bits, I would have assumed it tests the state of only the bit specified in the test, but it's not clear whether this is the case or not.

Cheers

(from David_Rickard)
Userlevel 4
Create Date: Jul 12 2012 3:42AM

My interpretation of how it should be: (Not tested)entry PermitEstablished1 {@description "Allow ACK packets in as from established connections" if { protocol tcp; tcp-flags ACK; # Existing connections use ACK and destination-port 1024-65535 # high destination port } then {permit;}}entry PermitEstablished2 {@description "Allow RST packets in as from established connections" if { protocol tcp; tcp-flags RST; # Existing connections RST and destination-port 1023-65535 # high dest port } then {permit;}} (from David_Rickard)
Userlevel 4
Create Date: Jul 12 2012 3:50AM

No, nothing I can do will make the forum format that properly. (from David_Rickard)

Reply