Manuale Turtle Firewall
<<< Previous	Chapter 5. Services (fwservices.xml)	Next >>>

5.2. FILTER

The filter tag has a series of attributes which are used to define the characteristics that a packet must have to be considered valid. If the packet doesn't satisfy the parameters defined by the filter, the control passes to the following filter and so on. If no filter is verified, the packet is rejected.

Attributes:

direction: defines the direction of the packet in transit. It can assume the go or the back value. Using go only the packets from an ipotetic source host to a destination host are considered, on the contrary using back the reply packets are considered.
p: protocol, it can assume one of the following values: tcp, udp or icmp.
sport: the port used by the source host socket.
dport: destination port of the packet.
icmptype: ICMP message type (you should use it only with p="icmp", see iptables doc.).
state: packet state (see "state" instruction of iptables).
jump: forced jump to a chain or a issue.
It can assume the following values: ACCEPT (tha packet is accepted, it's the default chain if direction is set to go), DROP (the packet is not considerated valid, usually this jump is not used directly because it's not reported to the log file), BACK (the control passes to a special chain that allows only reply packets in transit of connections already established, it's the default chain if direction is set to back), ICMP-ACC (another special chain that has to be used with p="icmp", allows only standard icmp messages considered secure).

If you set sport or dport as "PORT", the port will be set during the script generation as the value indicated by the port attribute of the rule tag in the firewall rule you have defined. This way you can define services with parameters.

Syntax:

<filter direction="go/back" p="tcp/udp/icmp" sport="nPortaSrc" dport="nPortaDst"
  icmptype="tipoMsgIcmp" jump="ACCEPT/DROP/BACK/ICMP-ACC"/>

Example 5-1. Definition of 3 services

<services>
  <service name="http" description="Servizio www o http">
    <filter direction="go" p="tcp" dport="www"/>
    <filter direction="back" p="tcp" sport="www"/>
  </service>

  <service name="tcp" description="Servizio TCP generico">
    <filter direction="go" p="tcp" dport="PORT"/>
    <filter direction="back" p="tcp" sport="PORT"/>
  </service>

  <service name="ping" description="icmp message echo-request and echo-reply">
    <filter direction="go" p="icmp" ICMPTYPE="echo-request"/>
    <filter direction="back" p="icmp" ICMPTYPE="echo-reply"/>
  </service>
</services>

<<< Previous	Home	Next >>>
Services (fwservices.xml)	Up	Default services (fwservices.xml)