FCP Protocol Specification 15

FCP rough specs + description - v.015 - 11-28-00 - Nils Ohlmeier , Ulrich Abend

<FCP>::=

<Request>|<Response>

<Request>::=

        SET <RequestHeader> <PacketMatching Expression> [<SetOptions>] |
        RELEASE <RequestHeader> <PacketMatching Expression> |
        QUERY <RequestHeader> [<PacketMatching Expression>] |
        QUERYNAT <RequestHeader> IP=<value> PORT=<value>
                   [UPPERPORT=<value>] PROTO=<value> |
        RELEASENAT <RequestHeader> IP=<value> PORT=<value> PROTO=<value>

<RequestHeader>::=

<Protocol_Name_And_Version> <Transaction Number>

<Protocol_Name_And_Version>::=

FCP=1.0

<Transaction Number>::=

SEQ=<value>

<PacketMatchingExpression>::=

        [PROTO=<value>]                         // Protokoll
        [SRCIP=<ip-address>[/<netmask>]]        // source ip address(es)
        [DSTIP=<ip-address>[/<netmask>]]        // destination ip address(es)
        [SRCPORT=<port> | <port-range>]         // port number of source
        [DSTPORT=<port> | <port-range>]         // port number of destination
        [TOSFLD=<value>]                        // IPv4 TOS field
        [TCPSYNALLOWED={yes|no}]                // tcp SYN packets allowed
        [ICMPTYPE=<value>]                      // icmp type e.g. ping, pong
        [ININTERFACE={in|out|dmz|loopback}]     // the input interface
        [OUTINTERFACE={in|out|dmz|loopback}]    // the output interface

<SetOptions>::=

        [ACTION={pass [<PacketModifier>] | drop | reject [<ICMPi message>]}]
        [TIMER=<value>]                         // auch keep-alive
        [REFLEXIVE={yes|no}]
        [PRIORITYCLASS=<value>]
        [LOG=<value>]

<PacketModifier>::=

        [PROTO=<value>]                         // Protokoll
        [SRCIP=<ip-address>]                    // source ip address
        [DSTIP=<ip-address>]                    // destination ip address
        [SRCPORT=<port>]                        // port number of source
        [DSTPORT=<port>]                        // port number of destination
        [TOSFLD=<value>]                        // IPv4 TOS field

<ICMP message>::=

ICMPMESSAGE=<value>

<Response>::=

        <Protocol_Name_And_Version> <Transaction Number>
        <StatusCode> [<QueryResponse> | <NatQueryResponse>]

<QueryResponse>::=

<PME> <SetOptions> [; <PME> <SetOptions> ]*

<NatQueryResponse>::=

IP=<value> PORT=<value> [UPPERPORT=<value>]

<StatusCode>::=

        {200 OK |
        400 Bad Request |
        401 Unauthorized |
        402 Invalid Control State Field Value |
        403 Forbidden |
        480 Priority Class Conflict |
        500 Server Internal Error |
        501 Not Implemented |
        502 Service Unavaiable |
        503 Version Not Supported }

Description:

SET:

• inserts a rule according to the PME, _after_ a QUERYNAT returned an ip-address and port.
• is also for used for keep-alive messages by using the timer (s.b.)

RELEASE:

• deletes a rule, which was inserted by SET

QUERY:

• returns all rules matching the PME
• if there's no PME defined, all rules will be returned

QUERYNAT:

• queries for NATi, by retrieving ip-adress and port for the protocol from the fcp-server
• the result is either the local ip and port (in case there's no NAT used) or a reserved but not yet connected port on the firewall, which will be used for the connection. Use SET to open the port and start NAT.
• by using UPPERPORT, a range of Ports is assigned for the range of clients' Ports starting at PORT.
• if UPPERPORT is not specified, it defaults to the single Port behaviour.

RELEASENAT:

• releases a reserved ip and port tuple for the protocol
• releasing the lowest port of a portrange (queried by using UPPERPORT) results in releasing the hole portrange
• deletes a NAT rule

Transaction Number (SEQ):

• is being used by the server to refer to a clients request.

PROTO:

• possible values: 1=ICMP 6=TCP 17=UDP (see IANAi's Assigned protocol number)
• if not specified: 6
• the type of protocol this expression is according to
• used in QUERYNAT, a value of 1 doesn't make sense and will return status code 400

UPPERPORT:

• possible values: an port number higher than PORT (in QUERYNAT)
• if not specified QUERYNAT will be performed for a single port address.
• is used for NATting a straight group of ports starting at PORT

SRCIP:

• posible values ip-address: from 0.0.0.0 to 255.255.255.255
• posible values netmask: from 0.0.0.0 to 255.255.255.255
• if not specified: 0.0.0.0/0.0.0.0
• the ip-adress(es) where the packets (seem to) come from

DSTIP:

• posible values ip-address: from 0.0.0.0 to 255.255.255.255
• posible values netmask: from 0.0.0.0 to 255.255.255.255
• if not specified: 0.0.0.0/0.0.0.0
• the destination ip-adress(es) of the packets

SRCPORT:

• possible values port: 0 to 65535
• possible values port-range: "x-y" with x<y and x,y from 0 to 65535
• if not specified: any source port will be allowed
• the source port or port range

DSTPORT:

• possible values port: from 0 to 65535 (see IANA's Assigned port numbers)
• possible values port-range: "x-y" with x<y and x,y from 0 to 65535
• if not specified: any destination port will be allowed
• the destination port or port range

TOSFLD: (see RFC1349 and RFC2474)

• possible values: frmo 0 to 255 (8 bit mask)
• if not specified: 0
• the type of service like specified in RFC?

TCPSYNALLOWED:

• possible values: yes, no
• if not specified: no SYN packets allowed
• defines whether packets with only the SYN flag set are allowed to pass the firewall

ICMPTYPE:

• possible values: all icmp types
• if not specified: the icmptype will be ignored while matching
• matches only on the specified icmp-type

ININTERFACE:

• possible values: in, out, dmz, loopback
• if not specified: the expression matches any input interface
• "in" stands for the interfaces(es) to the internal network "out" stands for the interfaces(es) to the external network "dmz" stands for the interfaces(es) to the demilitarized zone "loopback" stands for services on the firewall

OUTINTERFACE:

• possible values: in, out, dmz, loopback
• if not specified: the expression matches any output interface
• "in" stands for the interfaces(es) to the internal network "out" stands for the interfaces(es) to the external network "dmz" stands for the interfaces(es) to the demilitarized zone "loopback" stands for services on the firewall

ACTION:

• possible values: pass, drop, reject
• if not specified: no action will be performed (besides logging if specified)
• specifies what will be done with the packet

TIMER:

• possible values: 1 to 255
• if not specified: 5
• sets the timeout in minutes. a keep alive message is needed before the timer exceeds.

REFLEXIVE:

• possible values: yes, no
• if not specified: no
• sets whether the rule should be reflexive. this might not be implemented within the firewall, so a return status-code 501 is possible. (Note: in this case it is still possible to use TCPSYNALLOWED mentioned above)

PRIORITYCLASS:

• possible values: 0 to 2^32 (=4294967296)
• if not specified: 0
• sets the priority class in which the rule will be inserted. Note: if action doesnt match the priority class' default ACTION, status code 480 will be returned. Priority classes are defined within server configuration. 0 means default policy.

LOG:

• possible values: 0 to 255
• if not specified: 0
• sets the log-level for the rule. Log Levels are defined in server configuration. Anyway 0 means no logging at all. Note: no error will be returned if the specified log level isn't configured, instead no logging is set. Logging definitions may be configured with time intervals.
• example configuration might be: log-level 42: log every 10 seconds if there was a matching packet.

ICMPMESSAGE:

• possible values: any of standard icmp-messages (ipchains -h icmp for list :-) (see IANA's ICMP assigned number
• if not specified: packet will be rejected without any ICMP message.
• sets the icmp message which will be returnd to the sender of the rejected packet.