The TCP strict tracking of stateful firewall rules for traffic can be enabled by using security firewall tcp-strict. This command also enables the user to toggle between loose or strict stateful behaviors for TCP.

Stateful tracking must be enabled through either a state rule or global rule.

TCP strict tracking disabled—TCP connections are validated by the following criteria:

Perform SEQ/ACK numbers check against boundaries. (Reference: Rooij G., “Real stateful TCP packet filtering in IP Filter,” 10th USENIX Security Symposium invited talk, Aug. 2001.)

The four boundaries are defined as follows:

• I) SEQ + LEN <= MAX {SND.ACK + MAX(SND.WIN, 1)}\
• II) SEQ >= MAX {SND.SEQ + SND.LEN - MAX(RCV.WIN, 1)}
• III) ACK <= MAX {RCV.SEQ + RCV.LEN}
• IV) ACK >= MAX {RCV.SEQ + RCV.LEN} - MAXACKWIN

TCP strict tracking enabled—The above validation is performed. In addition, the validation against the correct TCP sequencing of flags (or validation of TCP stateful transitions) is also performed.

The following stateful transitions are invalid when a packet is received with the following flag pattern:

Forward flow:

SYN-ACK FLAG to SS, ES, FW, CW, LA, TW, CL FIN FLAG to SS, SR, S2 ACK FLAG to SS, S2

Reverse flow:

SYN FLAG to SR, ES, FW, CW, LA, TW, CL

FIN FLAG to SS, SR

Keys to the codes above are as follows:

vyatta@vyatta:~$ show session-table
    TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT,
                 CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED