- Commented IP Access List Entries
- Configuring an FQDN ACL
- IP Access List Entry Sequence Numbering
- ACL Support for Filtering IP Options
- Creating an IP Access List to Filter TCP Flags
- Named ACL Support for Noncontiguous Ports on an Access Control Entry
- Object Groups for ACLs
- IP Named Access Control Lists
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- Standard IP Access List Logging
- IPv6 Services—Standard Access Control Lists
- Finding Feature Information
- Prerequisites for Creating an IP Access List to Filter TCP Flags
- Information About Creating an IP Access List to Filter TCP Flags
- How to Create an IP Access List to Filter TCP Flags
- Configuration Examples for Configuring an IP Access List to Filter TCP Flags
- Additional References for Creating an IP Access List to Filter TCP Flags
- Feature Information for Creating an IP Access List to Filter TCP Flags
Creating an IP Access List to Filter TCP Flags
This module documents the ACL TCP Flags Filtering feature and describes how to use an IP access list to filter IP packets that contain TCP flags. The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security
The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Before this feature, an incoming packet was matched if any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allowed for a security loophole, because packets with all flags set could get past the access control list (ACL).
- Finding Feature Information
- Prerequisites for Creating an IP Access List to Filter TCP Flags
- Information About Creating an IP Access List to Filter TCP Flags
- How to Create an IP Access List to Filter TCP Flags
- Configuration Examples for Configuring an IP Access List to Filter TCP Flags
- Additional References for Creating an IP Access List to Filter TCP Flags
- Feature Information for Creating an IP Access List to Filter TCP Flags
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Creating an IP Access List to Filter TCP Flags
Before you perform any of the tasks in this module, you should be familiar with the information in the following modules:
“IP Access List Overview”
“Creating an IP Access List and Applying It to an Interface”
Information About Creating an IP Access List to Filter TCP Flags
Benefits of Filtering on TCP Flags
The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Previously, an incoming packet was matched as long as any TCP flag in the packet matched a flag specified in the access control entry (ACE). This behavior allows for a security loophole, because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.
Because TCP packets can be sent as false synchronization packets that can be accepted by a listening port, it is recommended that administrators of firewall devices set up some filtering rules to drop false TCP packets.
The ACEs that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have a very specific group of TCP flags set or not set. The ACL TCP Flags Filtering feature provides a greater degree of packet-filtering control in the following ways:
TCP Flags
The table below lists the TCP flags, which are further described in RFC 793, Transmission Control Protocol.
TCP Flag |
Purpose |
---|---|
ACK |
Acknowledge flag—Indicates that the acknowledgment field of a segment specifies the next sequence number the sender of this segment is expecting to receive. |
FIN |
Finish flag—Used to clear connections. |
PSH |
Push flag—Indicates the data in the call should be immediately pushed through to the receiving user. |
RST |
Reset flag—Indicates that the receiver should delete the connection without further interaction. |
SYN |
Synchronize flag—Used to establish connections. |
URG |
Urgent flag—Indicates that the urgent field is meaningful and must be added to the segment sequence number. |
How to Create an IP Access List to Filter TCP Flags
Filtering Packets That Contain TCP Flags
This task configures an access list to filter packets that contain TCP flags and verifies that the access list has been configured correctly.
Caution | If a device having ACEs with the new syntax format is reloaded with a previous version of the Cisco software that does not support the ACL TCP Flags Filtering feature, the ACEs will not be applied, leading to possible security loopholes. |
1.
enable
2.
configure
terminal
3.
ip
access-list
extended
access-list-name
4. [sequence-number] permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established|{match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
5. [sequence-number] deny tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established|{match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the no sequence-numbercommand to delete an entry.
7.
end
8.
show
ip
access-lists
access-list-name
DETAILED STEPS
Configuration Examples for Configuring an IP Access List to Filter TCP Flags
Example: Filtering Packets That Contain TCP Flags
The following access list allows TCP packets only if the TCP flags ACK and SYN are set and the FIN flag is not set:
ip access-list extended aaa permit tcp any any match-all +ack +syn -fin end
The show access-list command has been entered to display the ACL:
Device# show access-list aaa Extended IP access list aaa 10 permit tcp any any match-all +ack +syn -fin
Additional References for Creating an IP Access List to Filter TCP Flags
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security Commands |
|
Order of access list entries |
"Refining an IP Access List" |
Access list entries based on time of day or week |
"Refining an IP Access List” |
Packets with noninitial fragments |
"Refining an IP Access List” |
Filtering on IP Options, TCP flags, noncontiguous ports, or TTL values |
“Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values” |
Access to virtual terminal lines |
"Controlling Access to a Virtual Terminal Line” |
Routing updates and policy routing |
“Configuring Routing Protocol-Independent Features” modules in the Cisco IOS IP Routing Protocols Configuration Guide |
Traffic identification or classification for features such as congestion avoidance, congestion management, and priority queuing |
“Regulating Packet Flow on a Per-Interface Basis--Using Generic Traffic Shaping” module in the Quality of Service Solutions Configuration Guide |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Creating an IP Access List to Filter TCP Flags
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Configuration Information |
---|---|---|
ACL TCP Flags Filtering |
Cisco IOS XE RElease 3.6E |
This feature provides a flexible mechanism for filtering on TCP flags. The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. |