Many protocols require multiple TCP connections or multiple UDP data streams. In some protocols, the host playing the role of "server" makes connections to the host playing the role of "client"; although the client generally initiates the first connection, the server may initiate subsequent connections. For many commonly used protocols, such as FTP, the PIX Firewall scans the application layer data to find the ports on which connections may be opened from server to client, and selectively permits the connections that have been negotiated in the protocol. However, the PIX Firewall software does not have support for every possible protocol.
The established command allows the PIX Firewall to deliver traffic associated with protocols for which the firewall software does not have specific support. When the established command is in force, an outside server can make a TCP or UDP connection to any inside host with which it already has a TCP or UDP connection established. The assumption is that the new connection is part of an unknown multiconnection protocol. The permitto and permitfrom parameters to the established command can be used to control which ports on the inside host can be reached from the outside, but there is no way to designate specific inside hosts to which the established command should or should not apply.
The established command creates a relatively wide opening in the firewall. If there is any existing connection between an inside and an outside host, additional connections may be created in either direction. Unless the permitto and/or permitfrom keywords have been used, these connections may use any port number on either host.
Conduits, created with the static and conduit commands, provide a way for the firewall administrator to permit access from outside the firewall to selected ports on hosts inside the firewall. A conduit might, for example, be used to provide access to a mail server by allowing outside hosts to connect to TCP port 25 on the mail host.
The two features interact in a way that has surprised some firewall administrators. Suppose that a PIX Firewall has the established tcp command in its configuration file, and that a conduit has been created to allow outside hosts to connect to port 25 on an inside mail server, host A. If outside host B takes advantage of this conduit to connect to host A's mail service, a TCP connection will be created. As long as this TCP connection to A's mail port is active, the established command will permit host B to make additional connections to other ports on host A. Since host B can initiate mail connections at will, and can hold those connections open for as long as it wants, the net effect is that host B can make a TCP connection to any port on host A at any time.
Users who make this configuration error are generally under one of two misconceptions about the established command. The facts are that:
- The existence of any connection between an inside and an outside host is sufficient for the established command to permit connections from the outside host to the inside host. The direction in which the original connection was made is not checked.
- The established command has its full effect even if the existing connection was made to a well-known port. Even though the original connection may involve a protocol that is supported by the PIX Firewall software, the established command will still permit subsequent connections.
Cisco will update the PIX Firewall documentation to clarify these points.
Because the reasons for using the established command differ from installation to installation, there is no configuration change that will work for all users. Cisco recommends that all customers whose PIX Firewall configuration files contain both conduits and the established command review their configurations to make sure that those configurations implement the expected security policies.
The established command was meant as a special measure for users with relatively unusual situations, and Cisco does not recommend its routine use. If the established command is used, port ranges should almost always be specified using the permitto and/or permitfrom keywords.