7.2.7. Options and Logging

The Options rule element allows you to enable and disable logging, set logging values, and set certain options (such as tagging and classifying) to be applied when a packet matches the rule. Not all firewalls support all log settings or a full set of options; however, Firewall Builder is aware of the capabilities of each platform and shows only the options valid for the specified firewall target. Note that options apply only to the current rule.

The right-click Options context menu contains three selections:

  • Rule Options:

    Opens the Options dialog, which allows you to set logging values and supported options for the current rule. The options and log settings available vary with the target platform.

  • Logging On:

    Enables logging for packets matching this rule. If the target firewall platform does not support selective logging of packets, log settings are disabled in the Options dialog.

  • Logging Off:

    Disables logging for packets matching this rule. If the target firewall platform does not support selective logging of packets, this menu item is disabled.

At the bottom of the context menu, the Compile Rule selection allows you to perform quick rule compilation.

Rule options may include the following, depending on the target platform:

  • General:

    Depending on the target platform, general settings may include whether inspection should be stateless rather than stateful (for some targets, state tracking options are located located on a Stateless or State Tracking tab), sending ICMP "Unreachable" packets masquerading as being from the original destination, keeping information on fragmented packets to be applied to later fragments, and/or whether to assume that the firewall is part of the "any" specification.

  • Logging:

    Depending on the target platform, log settings may include the log level, logging interval, log facility, log prefix, the Netlink group, and/or a checkbox to disable logging for the current rule.

  • Route:

    Supported only for ipfilter and PF targets. For iptables, this option is deprecated. Directs the firewall to route matching packets through a specified interface. For PF and ipfilter, you can specify the interface and next hop. This information is translated into the route option. You can also specify whether to reroute the packet, reroute the reply to the packet, or make the changes to a copy of the packet, allowing the original packet to proceed normally. This information is translated into the route-to, reply-to, and dup-to options, respectively. The PF platform also supports a fast-route option, translated as the fastroute option, and supports selecting from a set of load-balancing alogrithms.

  • State Tracking:

    Allows you to specify a number of options for tracking the progress of a connection. Keeping state can help you develop rule sets that are simpler and result in better packet filtering performance. For iptables, ipfilter, and ipfw target platforms, this option allows you to make packet inspection to be stateless rather than stateful, which is the default. (For these platforms, this option is located on the General tab.) PF targets support a number of additional state tracking settings. The Force "keep state" setting directs the firewall to make a state entry even if the default for the rule is to be stateless. The Activate source tracking setting enables tracking the number of states created per source IP address. The Maximum number of source addresses setting controls the maximum number of source addresses that can simultaneously have state table entries; this is the PF max-src-nodes option. The Maximum of simultaneous state entries setting controls the maximum number of simultaneous state entries that can be created per source IP address; this is the PF max-src-states option. Note that this limit controls only states created by this rule. State tracking is not supported for Cisco FWSM, Cisco Router IOS ACL, or Cisco ASA/ Cisco PIX target platforms.

  • Tag:

    Supported only for iptables and PF platforms. Associates a tag, or mark, with the packet. When you enable this option, you must specify a TagService object which defines the tag to be applied to matching packets.

    For iptables, the Tag operation is translated into a MARK target with corresponding --set-mark parameter and, optionally, additional rule with a CONNMARK --save-mark target. If the option that activates the CONNMARK target is used, the compiler also adds a rule at the very top of the policy to restore the mark. Rules are placed in the INPUT, OUTPUT, and FORWARD chain of the mangle table, which ensures that DNAT happens before rules in the mangle table interact with the packet. The PREROUTING chain in the mangle table is executed before the PREROUTING chain in the NAT table, so placing tagging rules in the PREROUTING chain would make them fire before DNAT. The POSTROUTING chain of the mangle table, as well as its FORWARD and OUTPUT chains, work before corresponding chains of the NAT table. In all cases, the goal is to make sure DNAT rules process the packet before, and SNAT rules process the packet after, filtering and tagging rules.

    For PF, this option is translated into the tag option.

  • Classify:

    Supported only for iptables, PF, and ipfw. Allows the firewall to define a QoS class for the packet that matches the rule. It is translated into CLASSIFY for iptables, with the --set-class parameter. For PF, it is translated into queue. The compiler for ipfw can use pipe, queue, or divert, depending on how the action is configured in Firewall Builder. When you enable this option, you must specify a Classify string.

  • limit:

    Supported only for iptables. Implements the iptables limit module, directing the firewall to perform rate-limiting on the connection. This option is useful for preventing, for example, TCP SYN flood attacks. You specify the maximum average matching rate; this translates into the iptables --limit rate option, limiting incoming connections once the limit is reached. You can also specify a burst level; this is the maximum initial number of packets to match. The burst number is incremented by one every time the rate-limit is not reached, up to this number; this value translates into the iptables --limit-burst option You can also reverse the meaning of the rate-limit rule (that is, accept everything above a given limit) by checking the Negate checkbox.

  • connlimit:

    Supported only for iptables. Implements the iptables connlimit module, directing the firewall to restrict the number of parallel TCP connections for this source/destination pair. You specify the maximum number of existing parallel connections; this translates into the iptables --connlimit-above option. You can also specify a network mask to limit the number of connections to networks of a particular size; this value translates into the iptables --connlimit-mask option You can reverse the meaning of the connection-limiting rule (that is, accept everything above a given limit) by checking the Negate checkbox.

  • hashlimit:

    Supported only for iptables. Implements the iptables hashlimit module. The hashlimit matching option is similar to the rate-limiting option, implemented per destination IP or per destination-IP/destination-port tuple. You must provide a name for this hash-limiting entry specify the rate and burst level. You can also select the mode of the module, which specifies whether to match on IP address alone (srcip or (dstip) or on an address/port combination (srcport or dstport). The htable-size setting controls the number of buckets of the hash table. The htable-max setting controls the maximum number of entries in the hash table. The htable-expire setting controls the interval (in milliseconds) after which a has entry expires. The htable-gcinterval setting controls the interval (in milliseconds) between garbage collection operations.

    On some older iptables systems, this module is named dstlimit. If your target platform is one of these systems, check the checkbox

  • Mirror rules:

    Supported only for Cisco Router IOS ACL. Directs the compiler to create a rule reversing the specified source and destination address and service fields, which can be used to match "reply" packets for address and service characteristics in packets matched by this rule. Detailed information about mirror rule settings is provided in the Rule Options dialog for this platform.

Figure 7.7 shows the Tag tab of the Options dialog for the iptables platform.

Figure 7.7. iptables Options Dialog

iptables Options Dialog

If the options of a particular rule have been changed from their default values, a appears in the Option field for that rule. Keep in mind that not all rules have the same default options. For example, by default a Deny rule is stateless, because there is no reason to keep state on a connection that won't be allowed. So, if you turn on state for a Deny rule, you'll see the icon. An Accept rule, on the other hand, has the opposite behavior. By default, state is kept for Accept rules, so no icon appears when state is on. In other words, if you turn state keeping off, then if you change the default behavior for that rule, the icon is displayed.

You can set multiple options and combine them with the policy's action so that the firewall performs multiple operations within a single policy rule. For example, where supported, you can tag, classify, and accept a packet within a single rule by configuring the Tag and Classify options and setting the action to Accept. For more information on configuring policies to perform multiple operations, see Section 7.5.6.

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.