19.10. Firewall Rule Conditions
When creating a firewall rule, you can select many different conditions to control which packets the rule matches. A rule's action will only be executed if all the conditions are matched. Each condition can be in one of three states, chosen by the menu next to it on the rule creation form:
<Ignore> The condition will be totally ignored when deciding whether the rule matches or not.
Equals The rule will only match if the packet matches the address, port, interface, or whatever was selected for this condition.
Does not equal The rule will only match if the packet does NOT match whatever was selected for this condition.
The available conditions and what each one matches are listed in Table 19.1. Note that some are not available in all tables and chains.
Remember that each condition is applied on a per-packet basis, and that a single TCP connection may involve multiple packets flowing in both directions.
| Condition | Matches |
|---|---|
| Source address or network | The IP address, host, or network that the packet was sent from. When entering a network, you can use the network/prefix notation (like 192.168.0.0/16) or the network/netmask notation (like 192.168.0.0/255.255.0.0). |
| Destination address or network | The IP address, host, or network that the packet is going to. As with the source address, you can use both the network/prefix and network/netmask notations. |
| Incoming interface | The network interface on which the packet entered the firewall server. See the discussion of interface types and names in Chapter 16 for more details. |
| Outgoing interface | The network interface on which the packet is being sent out by the firewall server. |
| Fragmentation | When an IP packet is too large for the physical network it is being sent over, it will be broken into multiple fragments. If Is fragmented is chosen, the rule will apply only to fragments after the first one. If Is not fragmented is chosen, the rule applies only to the first fragment, or packets that were not fragmented at all. Because fragments after the first do not contain any protocol or port information, rules that have protocol, port, TCP, state, or type of service conditions will never match a fragment. |
| Network protocol | The network protocol of the data carried by the packet. TCP is used by HTTP, FTP, telnet, SSH, SMTP, POP3, and many other higher level protocols. UDP is used by the DNS, NFS, and NIS protocols. ICMP is used by commands like ping and traceroute. |
| Source TCP or UDP port | The port that a TCP connection or UDP packet came from. For packets sent by a client to a server, the source port is usually randomly assigned and thus useless for firewalling. But for packets sent back from the server to the client, the source port is the same as the port that the client connected to.
If the Port(s) option is selected, you can enter one or more ports into the field next to it, separated by commas. If Port range is selected, you must enter a starting and ending number to cover all ports between them. This condition can be used only if your Network protocol is set to TCP or UDP. |
| Destination TCP or UDP port | The port that a TCP connection or UDP packet is going to. Instead of entering a port number, you can enter a name from the /etc/services file that is associated with a port, such as telnet or http. As with the Source TCP or UDP port condition, a list or range of ports can be entered, and the Network protocol must be set to either TCP or UDP. |
| Source and destination port(s) | For a condition of this type to match, both the source and destination ports must be in the comma-separated list of port names or numbers entered into the field next to it. This condition has never seemed particularly useful to me. |
| TCP option number is set | Matches if the entered TCP option number is set. |
| TCP flags set | The flags set on a TCP packet. The selections in the second row determine which flags the firewall will look at, while those in the first row indicate whether a particular flag must be set or not.
This condition can be used to detect TCP packets that are part of an existing connection. However, the Connection state condition is a far superior and simpler way of doing the same thing. For this condition to be used, the Network protocol must be set to TCP. |
| ICMP packet type | For ICMP packets, this condition matches if the packet type matches whatever is chosen from the menu next to it. Some types such as echo-request and echo-reply are sent by the ping command, while others are used for low-level network flow control. Because ICMP packets are usually harmless and sometimes important, it is not necessary to block them. As would be expected, the Network protocol must be set to ICMP for this condition to be used. |
| Ethernet address | The MAC address (usually Ethernet) of the packet sender. If the packet was forwarded by another router after being sent by the original host, its MAC address will be that of the router. Ethernet addresses must be formatted like 00:D0:B7:1D:FB:AA, as displayed by the ifconfig command. |
| Packet flow rate | Matches packets up to the rate entered (if Below is chosen), or above the rate entered (if Above is chosen). This condition cannot be used for limiting the amount of traffic a host can send—rather, it is useful for logging with the LOG target only a fraction of the packets that match some rule. |
| Packet burst rate | The maximum initial number of packets to match. This number gets recharged by one every time the Packet flow rate is not reached, up to the number entered. |
| Connection state | Matches packets depending on their connection status and the options chosen from the menu. You can select more than one to match packets with any of the chosen statuses. The available options and the packets they match are:
New connection Matches packets that are part of a new TCP connection. Existing connection Packets that are part of a connection that has already been established. Related connection Packets in a connection that is related to one already established, such as an FTP data connection. Not part of any connection Packets that do not fit in with any new or existing connection at all. |
| Type of service | Matches packets whose IP type-of-service field is the same as the type selected from the menu next to this condition. |
| Sending unix user | Packets sent by a local process owned by the chosen UNIX user. This condition (and the three below) make sense only in the Outgoing packets chain. |
| Sending unix group | Packets sent by a local process owned by the chosen UNIX group. |
| Sending process ID | Packets sent by a local process with the specified PID. |
| Sending process group | Packets sent by a local process with the specified process group ID. |
| Additional parameters | This field can be used to enter additional parameters to a rule that cannot be set through the module's user interface, such as—log-level warn. It should only be used if you are familiar with the iptables command. |