Project

General

Profile

Actions
Copy link

Feature #7704

open

firewall: allow single packet rule to accept tcp connection

Added by Victor Julien 4 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Effort:
Difficulty:
Label:

Description

The idea here is to allow a single rule to express:
- accept:hook
- directionality of connection initiator
- tcp state (3whs, established, etc)
- match opposing side as well

Currently we can have

accept:hook tcp:all $HOME_NET any <> ... 22 (flow:not_established;)
accept:hook tcp:all $HOME_NET any <> ... 22 (flow:established;)
But this doesn't enforce the direction of the 3whs.

One can also create a more complex ruleset like

accept:hook tcp:all $HOME_NET any -> any 22 (flags:S;)
accept:hook tcp:all any 22 -> $HOME_NET any (flags:SA;)
accept:hook tcp:all $HOME_NET any -> any 22 (flags:A; flow:not_established;)
accept:hook tcp:all $HOME_NET any <> any 22 (flow:established;)

The idea is to allow proper TCP setup, directionality, bidirectionality, all in one rule. E.g. something like:

accept:hook tcp:all $HOME_NET any \
     => \ # <- similar to txdir
     any 22 \
     (tcp.session:setup,established;) # < allow 3whs, tfo, etc.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7705: firewall: allow single rule to accept protocol detection in progress and the final protocolFeedbackVictor JulienActions
Actions
Copy link
 #1

Updated by Victor Julien 3 days ago

  • Related to Feature #7705: firewall: allow single rule to accept protocol detection in progress and the final protocol added
Actions
Copy link

Also available in: Atom PDF