Defining an Inspection Rule

The inspection rule defines the IP traffic monitored by CBAC. The ip inspect name command enables you to define a set of inspection rules. Table 15-4 shows the ip inspect command parameters:

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds] no ip inspect name [ inspection-name protocol]

Table 15-4. ip inspect name Command Parameters

Parameter

Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

protocol

A protocol keyword listed in (FTP, Java, SMTP, and so on).

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If the no option is selected, alerts are generated based on the setting of the ip inspect alert-off command.

Parameter

Description

audit-trail {on | off}

(Optional) For each inspected protocol, the audit trail can be set on or off. If the no option is selected, audit trail messages are generated based on the setting of the ip inspect audit-trail command.

http

(Optional) Specifies the HTTP protocol for Java applet blocking.

timeout seconds

(Optional) To override the global TCP or UDP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP and UPD timeouts but does not override the global DNS timeout.

java-list access-list

(Optional) Specifies the ACL (name or number) to use to determine "friendly" sites. This keyword is available only for the HTTP protocol for Java applet blocking. Java blocking only works with standard ACLs.

rpc program-number number

Specifies the program number to permit. This keyword is available only for the RPC protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait time is 0 minutes. This keyword is available only for the RPC protocol.

fragment

Specifies fragment inspection for the named rule.

max number

(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS Software. Unassembled packets are packets that arrive at the Cisco IOS Firewall interface before the initial packet for a session. The acceptable range is from 50 to 10,000. The default is 256 state entries.

Memory is allocated for the state structures, and setting this value to a larger number might cause memory resources to be exhausted.

timeout seconds (fragmentation)

(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the Cisco IOS Firewall drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is 1 second.

If this number is set to a value greater that 1 second, it is automatically adjusted by the Cisco IOS Software when the number of free state structures goes below certain thresholds: When the number of free states is less than 32, the timeout is divided by 2; when the number of free states is less than 16, the timeout is set to 1.

Usually, one inspection rule is defined per interface. Sometimes, however, you might want to configure an inspection rule in both directions on a single firewall interface. In these situations, you should configure two rules, one for each direction. The inspection rule includes a series of statements each listing a protocol and specifying the same inspection rule name.

0 0

Post a comment