established
Permit return connections on ports other than those used for the originating connection based on an established connection. (Configuration mode.)
[no] established est_protocol dport [sport] [permitto protocol port [-port]] [permitfrom protocol port[-port]] clear established show established
Syntax
src_port The source port used for the established connection lookup. This is the originating traffic's source port and may be specified as 0 if the protocol does not specify which source port(s) will be used. Use wildcard ports (0) only when necessary. dest_port The destination port used for the established connection lookup. This is the originating traffic's destination port and may be specified as 0 if the protocol does not specify which destination port(s) will be used. Use wildcard ports (0) only when necessary. permitto Used to specify the return traffic's protocol and to which destination port(s) the traffic will be permitted. permitfrom Used to specify the return traffic's protocol and from which source port(s) the traffic will be permitted. sport The source port(s) from which the return traffic is permitted. dport The destination port(s) to which the return traffic is permitted.
Usage Guidelines
The established command allows outbound connections return access through the firewall. This command works with two connections, an original connection outbound from a network protected by the firewall and a return connection inbound between the same two devices on an external host.
The first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.
Specify the established command with the permitto and permitfrom options. Without these options, the use of the established command opens a security hole that can be exploited for attack of the internal systems. See the "Security Problem" section that follows for more information.
The permitto option allows you to specify a new protocol or port for the return connection at the firewall.
The permitfrom option allows you to specify a new protocol or port at the remote server.
The no established command disables the established feature.
The show established command shows the established commands in the configuration.
The clear established command removes all establish command statements from the configuration.
For the established command to work properly, the client must listen on the port specified with the permitto option.
You can use the established command with the nat 0 command statement (where there are no global command statements).
The established command cannot be used with Port Address Translation (PAT).
The established command works as shown in the following format:
established A B C permitto D E permitfrom D FThis command works as though it were written "If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E."
For example:
established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.
For example:
established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.
Security Problem
The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.
The established command can potentially open a large security hole in the firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.
For example:
established tcp 0 4000In this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:
established tcp 0 0 (Same as previous releases established tcp 0 command.)
Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.
established tcp 9999 permitto tcp 5454 permitfrom tcp 4242The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:
established tcp 9999 permitto tcp 5454
XDMCP Support
The firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.
XDMCP is on by default, but will not complete the session unless the established command is used.
Example:
established tcp 0 6000 to tcp 6000 from tcp 1024-65535Will allow internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value.
setenv DISPLAY hostname:displaynumber.screennumberThe established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.