Feature #7704
openfirewall: allow single packet rule to accept tcp connection
Description
The idea here is to allow a single rule to express:
- accept:hook
- directionality of connection initiator
- tcp state (3whs, established, etc)
- match opposing side as well
Currently we can have
accept:hook tcp:all $HOME_NET any <> ... 22 (flow:not_established;) accept:hook tcp:all $HOME_NET any <> ... 22 (flow:established;) But this doesn't enforce the direction of the 3whs.
One can also create a more complex ruleset like
accept:hook tcp:all $HOME_NET any -> any 22 (flags:S;) accept:hook tcp:all any 22 -> $HOME_NET any (flags:SA;) accept:hook tcp:all $HOME_NET any -> any 22 (flags:A; flow:not_established;) accept:hook tcp:all $HOME_NET any <> any 22 (flow:established;)
The idea is to allow proper TCP setup, directionality, bidirectionality, all in one rule. E.g. something like:
accept:hook tcp:all $HOME_NET any \
=> \ # <- similar to txdir
any 22 \
(tcp.session:setup,established;) # < allow 3whs, tfo, etc.
Updated by Victor Julien 25 days ago
- Related to Feature #7705: firewall: allow single rule to accept protocol detection in progress and the final protocol added
Updated by Jamie Lavigne 21 days ago
The idea behind this one is to statefully accept the flow at layer 3/4 with a single directional rule, but not quite accept:flow because the app-layer rules still need to be applied. I picture something similar to ip-only rules on the IDS side that statefully associate and allow connections to be initiated in one direction only and automatically apply to the response side of the connection too.