Task #8388
Updated by Victor Julien 3 days ago
Firewall mode requires app-layer protocols to have explicit hook states registered so that firewall rules can make accept/drop decisions at the application layer. Without registered hooks, traffic matching an app-layer protocol falls through to the default app policy (drop), even when packet-layer rules accept the TCP/UDP handshake. Currently, only HTTP1, TLS, and SSH have protocol-specific hook states. DNS works with the generic default hooks ( _request_started_ , _request_complete_ , _response_started_ , _response_complete_ ). Proposed hook states per protocol: Subtickets will track individual protocols. _FTP_ : * Connected * USER command sent * PASS command sent * Authenticated * Command mode * PORT/PASV sent * Data connection requested * Data connection established * Transfer in progress * Transfer complete * Logged out * Connection closed Additionally, the expectation engine needs to work in firewall mode so that PASV/EPSV-negotiated data channels are auto-allowed when the control channel is accepted. The FTP-DATA protocol has its own lifecycle: * Connection requested * Connection established * Transfer initiated * Data transfer in progress * Transfer complete * Transfer aborted * Connection closed * _SMTP_ : * Connected * HELO/EHLO sent * Server greeting received * MAIL FROM sent * RCPT TO sent * DATA command sent * Message body transfer * Message accepted * QUIT sent * Connection closed * STARTTLS initiated * Authentication in progress _NTP_ : * Client request sent * Server response received * Synchronized * Kiss-o'-Death received * Unsynchronized * Symmetric active/passive * Broadcast mode