Firewall rules - Advanced

Top  Previous  Next

The first part - Match Extensions - deals with the check of the rules because of the configured values. If the packet matches the values, the rule matches and the packet will be treated in the configured way.

 

Options in this context:

 

Fragmentation: Choose a value from this select box if you want to check if a packet is part of a bigger packet. Packets that exceed a certain limit are fragmented (divided into smaller parts). You can select one of the following values:

       none: Choose this option if you don't want to check for fragmentation.
       not fragmented: Choose this option if you want to handle not fragmented packets.
       fragmented: Choose this option if you want to handle fragmented packets.

If, e.g. the packet has been divided into three small packets, a bit for fragmentation is set at the second and the third packet. If you have chosen fragmented, these packets are filtered. If you have chosen not fragmented, the first packet is filtered.

MAC-Source: Enter a source MAC-address in this textfield if you want to filter specific MAC-addresses. Each network interface can be specified through an unique identifier. This identifier consists of a six-part combination of hexadecimal numbers, in which the manufacturer and the type of network are encrypted. Restricting on MAC-address means a significant increase of security but also a lot of maintenance.

Limit: Using this option you will have the possibility to filter packets along their frequency of occurrence. If, for example, requests of a certain IP address on different ports of Gibraltar are increasing rapidly, you can configure a limit, up to which the rule matches. If the number of requests exceeds the determined limit, the rule does not match any more. Possible values for timeframe are /second, /minute, /hour or /day. Using the additional value Limit burst lets you trap a burst of packets (e.g establishing a connection). The limit option can easily be explained looking at a container with a hole, holding a certain amount of objects. As long as there are objects in the container, the rule matches. At the beginning the number of objects in the container is identical with the number you configured at the limit burst option. For each incoming packet, one object is removed through the hole. If the limit is not reached during the specified timeframe, the number of objects is increased by one. If the limit is reached, the rule does not longer match.

Example for application: Protection against DoS attacks (SYN flood, Ping of Death)

SPI: Enter a value if you want to match packets from the AH- or ESP protocols, which are based on the Security Parameter Index (SPI). Every function of IPSec adds an optional header to the IP-packet. With the SPI, that is included in this additional header, you enter a numerical value, on which's base the encoding process is chosen. Also a range can be entered here, whereby the start- and the endvalue - divided by a colon have to be given. The startvalue has to be lower than the endvalue. (e.g. 480:500)

Length: Enter a numerical value into this textfield to check the length of a packet. This value can either be a single value or a range of values, whereby the start- and the endvalue have to be divided by a colon and the startvalue has to be lower than the endvalue (e.g. 800:1000). Length is specified in bytes.

TTL: This value specifies the time to live. Time to live means the number of hops of a packet on its way through the Internet. If the TTL is exceeded, the rule does not match any more.

 

The second part - Package Modification - deals with the modification of the packets. Incoming packets can be modified in the following form.

 

TTL: Choose a value of this select box if you want to change the value of the TTL field.

none: Choose this option if you do not want to change the value of the TTL field.
set: Choose this option if you want to set the value of the TTL field.
inc: Choose this option if you want to increment the value of the TTL field.
dec: Choose this option if you want to decrement the value o

 

firwall_advanced