Feature #7704
openfirewall: allow single packet rule to accept tcp connection
Description
The idea here is to allow a single rule to express:
- accept:hook
- directionality of connection initiator
- tcp state (3whs, established, etc)
- match opposing side as well
Currently we can have
accept:hook tcp:all $HOME_NET any <> ... 22 (flow:not_established;) accept:hook tcp:all $HOME_NET any <> ... 22 (flow:established;) But this doesn't enforce the direction of the 3whs.
One can also create a more complex ruleset like
accept:hook tcp:all $HOME_NET any -> any 22 (flags:S;) accept:hook tcp:all any 22 -> $HOME_NET any (flags:SA;) accept:hook tcp:all $HOME_NET any -> any 22 (flags:A; flow:not_established;) accept:hook tcp:all $HOME_NET any <> any 22 (flow:established;)
The idea is to allow proper TCP setup, directionality, bidirectionality, all in one rule. E.g. something like:
accept:hook tcp:all $HOME_NET any \
=> \ # <- similar to txdir
any 22 \
(tcp.session:setup,established;) # < allow 3whs, tfo, etc.
Updated by Victor Julien about 2 months ago
- Related to Feature #7705: firewall: allow single rule to accept protocol detection in progress and the final protocol added
Updated by Jamie Lavigne about 2 months ago
The idea behind this one is to statefully accept the flow at layer 3/4 with a single directional rule, but not quite accept:flow because the app-layer rules still need to be applied. I picture something similar to ip-only rules on the IDS side that statefully associate and allow connections to be initiated in one direction only and automatically apply to the response side of the connection too.