FCP rough specs + description - v.016 - 2001-01-15 - Nils Ohlmeier [1], Ulrich Abend [2]

updated by Jiri Kuthan [3]

feedback provided by Jan Janak [4]

priority 2 features are blue colored; they will be implemented in the second stage;

examples [5] are attached

The protocol specification follows the SMTPi [6]/HTTP/SIP request-response, textual, AVP protocol family. Letter capitalization does not matter. Unknown AVPs may be ignored by receivers. Multiple transactionsi [7] may utilize a single transport channel (TCP connection).^MAll FCP-maintained rules are uniquely identified by packet-matching expressions (regardless if their elements are specified explicitly or by a default value).

---

<FCP>::= {<Request>|<Response> } <EOL>

< EOL>::=[<CR>]<LF>

<Request>::=

        SET <RequestHeader> <PacketMatching Expression> [<SetOptions>] |
        RELEASE <RequestHeader> <PacketMatching Expression> |
        QUERY <RequestHeader> [<PacketMatching Expression>] |
        QUERYNAT <RequestHeader>
IP=<value> PORT=<value>
                   [UPPERPORT=<value>] PROTO=<value> |
        RELEASENAT <RequestHeader> IP=<value> PORT=<value> PROTO=<value>

<RequestHeader>::= <Protocol_Name_And_Version> <EOF> <Transaction Number>

<Protocol_Name_And_Version>::= FCP=1.0

<Transaction Number>::= SEQ=<value> <EOF>

<PacketMatchingExpression>::= "" |  <PacketMatchingExpression> <PMEMember> //  "" indiciates empty PME that matches every packet */

<PMEMember>::=

      { PROTO=<value>                       |  //
 Protokoll
        SRCIP=<ip-address>[/<netmask>]      |  // source ip address(es)
        DSTIP=<ip-address>[/<netmask>]      |  // destination ip address(es)
        SRCPORT={<port> | <port-range>}     |  // port number of source
        DSTPORT={<port> | <port-range>}     |  // port number of destination
        TOSFLD=<value>                   
nbsp;  |  // IPv4 TOS field
        TCPSYNALLOWED={yes|no}              |  // tcp SYN packets allowed
        ICMPTYPE=<value>                    |  // icmp type e.g. p
ing, pong
        ININTERFACE={in|out|dmz|loopback}   |  // the input interface
        OUTINTERFACE={in|out|dmz|loopback}  |  // the input interface
      } <EOF>

<netmask>::=<octet>.<octet>.<octet>.<octet>

<SetOptions>::=<Option> | <SetOption> <Option>

<Option>::=

      { ACTION={pass [<PacketModifier>] | drop | reject  [<ICMPi [8] message>]&nbs
p; }]
        TIMER=<value>                       
  // auch keep-alive
        REFLEXIVE={yes|no}
        PRIORITYCLASS=<value>
        LOG=<value>
      }  <EOF>

<PacketModifier> ::= ;<Modifier> | <PacketModifier> <Modifier>

<Modifier>::=

   {    [PROTO=<value>]              |         
;  // Protokoll
        [SRCIP=<ip-address>]         |           // source ip address
        [DSTIP=<ip-address>]         |           // destination ip address
        [SRCPORT=<port>]             |           // port number
 of source
        [DSTPORT=<port>]             |           // port number
 of destination
        [TOSFLD=<value>]                        // IPv4 TO
S field

   }

<ICMP message>::= ICMPMESSAGE=<value>

<Response>::=

        <Protocol_Name_And_Version> <StatusCode> <EOF>

<Transaction Number>
         [<QueryResponse> | <NatQueryResponse>]

<QueryResponse>::=<PacketMatchingExpression> <SetOptions> [; <EOF> <PacketMatchingExpression> <SetOptions> ]*

<NatQueryResponse>::=IP=<value> PORT=<value> [UPPERPORT=<value>]

<StatusCode>::=

      { 200 OK |
        201 Keeping Alive |
        202 Rule Changed  |
        400 Bad Request |
        401 Unauthorized |
        402 Invalid Control State Field Value |
        403 Forbidden |
        480 Priority Class Conflict |
        500 Server Internal Error |
        501 Not Implemented |
        502 Service Unavaiable |
        503 Version Not Supported

       }

---

Description:

SET:

• inserts a rule according to the PME, _after_ a QUERYNAT returned an ip-address and port.
• is also for used for keep-alive messages by using the timer (s.b.)

RELEASE:

• deletes a rule, which was inserted by SET

QUERY:

• returns all rules matching the PME
• if there's no PME defined, all rules will be returned

QUERYNAT:

• queries for NATi [9], by retrieving ip-adress and port for the protocol from the fcp-server
• the result is either the local ip and port (in case there's no NAT used) or a reserved but not yet connected port on the firewall, which will be used for the connection. Use SET to open the port and start NAT.
• by using UPPERPORT, a range of Ports is assigned for the range of clients' Ports starting at PORT.
• if UPPERPORT is not specified, it defaults to the single Port behaviour.

RELEASENAT:

• releases a reserved ip and port tuple for the protocol
• releasing the lowest port of a portrange (queried by using UPPERPORT) results in releasing the hole portrange
• deletes a NAT rule

Transaction Number (SEQ):

• is being used by the server to refer to a clients request.

PROTO:

• possible values: 1=ICMP6=TCP17=UDP (see IANAi [10]'s Assigned protocol number [11])
• if not specified: 6 (or "no change" if used in the packetmodifier context)
• the type of protocol this expression is according to
• used in QUERYNAT, a value of 1 doesn't make sense and will return status code 400

UPPERPORT:

• possible values: an port number higher than PORT (in QUERYNAT)
• if not specified QUERYNAT will be performed for a single port address.
• is used for NATting a straight group of ports starting at PORT

SRCIP:

• posible values ip-address: from 0.0.0.0 to 255.255.255.255
• posible values netmask: from 0.0.0.0 to 255.255.255.255
• if not specified: 0.0.0.0/0.0.0.0 (or "no change" if used in the packetmodifier context)
• the ip-adress(es) where the packets (seem to) come from

DSTIP:

• posible values ip-address: from 0.0.0.0 to 255.255.255.255
• posible values netmask: from 0.0.0.0 to 255.255.255.255
• if not specified: 0.0.0.0/0.0.0.0 (or "no change" if used in the packetmodifier context)
• the destination ip-adress(es) of the packets

SRCPORT:

• possible values port: 0 to 65535
• possible values port-range: "x-y" with x<y and x,y from 0 to 65535
• if not specified: any source port will be allowed (or "no change" if used in the packetmodifier context)
• the source port or port range

DSTPORT:

• possible values port: from 0 to 65535 (see IANA's Assigned port numbers [12])
• possible values port-range: "x-y" with x<y and x,y from 0 to 65535
• if not specified: any destination port will be allowed (or "no change" if used in the packetmodifier context)
• the destination port or port range

TOSFLD: (see RFC1349 [13] and RFC2474 [14])

• possible values: frmo 0 to 255 (8 bit mask)
• if not specified: 0 (or "no change" if used in the packetmodifier context)
• the type of service like specified in RFC?

TCPSYNALLOWED:

• possible values: yes, no
• if not specified: no SYN packets allowed
• defines whether packets with only the SYN flag set are allowed to pass the firewall

ICMPTYPE:

• possible values: all icmp types
• if not specified: the icmptype will be ignored while matching
• matches only on the specified icmp-type

ININTERFACE:

• possible values: in, out, dmz, loopback
• if not specified: the expression matches any input interface
• "in" stands for the interfaces(es) to the internal network "out" stands for the interfaces(es) to the external network "dmz" stands for the interfaces(es) to the demilitarized zone "loopback" stands for services on the firewall

OUTINTERFACE:

• possible values: in, out, dmz, loopback
• if not specified: the expression matches any output interface
• "in" stands for the interfaces(es) to the internal network "out" stands for the interfaces(es) to the external network "dmz" stands for the interfaces(es) to the demilitarized zone "loopback" stands for services on the firewall

ACTION:

• possible values: pass, drop, reject
• if not specified: no action will be performed (besides logging if specified)
• specifies what will be done with the packet

TIMER:

• possible values: 0, and positive integers; 0 indicates infinite timer
• if not specified: 5
• sets the timeout in seconds. a keep alive message is needed before the timer exceeds.

REFLEXIVE:

• possible values: yes, no
• if not specified: no
• sets whether the rule should be reflexive. this might not be implemented within the firewall, so a return status-code 501 is possible. (Note: in this case it is still possible to use TCPSYNALLOWED mentioned above)

PRIORITYCLASS:

• possible values: 0 to 2^32 (=4294967296)
• if not specified: 0
• sets the priority class in which the rule will be inserted. Note: if action doesnt match the priority class' default ACTION, status code 480 will be returned. Priority classes are defined within server configuration. 0 means default policy.

LOG:

• possible values: 0 to 255
• if not specified: 0
• sets the log-level for the rule. Log Levels are defined in server configuration. Anyway 0 means no logging at all. Note: no error will be returned if the specified log level isn't configured, instead no logging is set. Logging definitions may be configured with time intervals.
• example configuration might be: log-level 42: log every 10 seconds if there was a matching packet.

ICMPMESSAGE:

• possible values: any of standard icmp-messages (ipchains -h icmp for list :-) (see IANA's ICMP assigned number [15]
• if not specified: 'Host Unreachable will be sent' (ICMP Type 3 Code 1)
• sets the icmp message which will be returned to the sender of the rejected packet.

---

To be clarified: usage of <CR><LF>, blank spaces, parameter separators.

---

Last modification: