established command

[Donachie]

I need to configure a pix to allow x-windows to pass through it. The connection is initiated from the client side - but then there are back connections from the server side.

There is no fixup for the x-windows protocol but I have read something about the 'established ' command - however I cant seem to find anythign that explains what the syntax or use of this command is.

Does anyone out there have any experience of this command?

 

[ChrisAC]

I don't think that the "established" key word applies to the pix. It's used on routers to make sure that replies to outgoing connections are let back in. The Pix is a stateful firewall and so allows replies back in.

If an X server talks back to the client on a different port and there is no fixup for this then your only option would be to allow this in an ACL but this would require a static NAT translation for the client behind the firewall.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[cambo2k]

This is taken from the Cisco web page regarding the command established:

established
Permit return connections on ports other than those used for the originating connection based on an established connection.

[no] established <est_protocol> <dport> [sport] [permitto <protocol> <port>[-<port>]] [permitfrom <protocol> <port>[-<port>]]

clear established

show established

Syntax Description
dest_port
Specifies the destination port to use for the established connection lookup. This is the originating traffic's destination port and may be specified as 0 if the protocol does not specify which destination port(s) will be used. Use wildcard ports (0) only when necessary.

permitfrom
Used to specify the return traffic's protocol and from which source port(s) the traffic will be permitted.

permitto
Used to specify the return traffic's protocol and to which destination port(s) the traffic will be permitted.

src_port
Specifies the source port to use for the established connection lookup. This is the originating traffic's source port and may be specified as 0 if the protocol does not specify which source port(s) will be used. Use wildcard ports (0) only when necessary.




Command Modes
Configuration mode.

Usage Guidelines
The established command allows outbound connections return access through the PIX Firewall. This command works with two connections, an original connection outbound from a network protected by the PIX Firewall and a return connection inbound between the same two devices on an external host.

The first protocol, destination port, and optional source port specified are for the initial outbound connection. The permitto and permitfrom options refine the return inbound connection.



--------------------------------------------------------------------------------

Note We recommend that you always specify the established command with the permitto and permitfrom options. Without these options, the use of the established command opens a security hole that can be exploited for attack of your internal systems. See the "Security Problem" section that follows for more information.


--------------------------------------------------------------------------------

The permitto option lets you specify a new protocol or port for the return connection at the PIX Firewall.

The permitfrom option lets you specify a new protocol or port at the remote server.

The no established command disables the established feature.

The clear established command removes all establish command statements from your configuration.



--------------------------------------------------------------------------------

Note For the established command to work properly, the client must listen on the port specified with the permitto option.


--------------------------------------------------------------------------------

You can use the established command with the nat 0 command statement (where there are no global command statements).



--------------------------------------------------------------------------------

Note The established command cannot be used with Port Address Translation (PAT).


--------------------------------------------------------------------------------

The established command works as shown in the following format:

established A B C permitto D E permitfrom D F


This command works as though it were written "If there exists a connection between two hosts using protocol A from src port B destined for port C, permit return connections through the PIX Firewall via protocol D (D can be different from A), if the source port(s) correspond to F and the destination port(s) correspond to E."

For example:

established tcp 6060 0 permitto tcp 6061 permitfrom tcp 6059


In this case, if a connection is started by an internal host to an external host using TCP source port 6060 and any destination port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 6059.

For example:

established udp 0 6060 permitto tcp 6061 permitfrom tcp 1024-65535


In this case, if a connection is started by an internal host to an external host using UDP destination port 6060 and any source port, the PIX Firewall permits return traffic between the hosts via TCP destination port 6061 and TCP source port 1024-65535.

Security Problem

The established command has been enhanced to optionally specify the destination port used for connection lookups. Only the source port could be specified previously with the destination port being 0 (a wildcard). This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is not.

The established command can potentially open a large security hole in the PIX Firewall if not used with discretion. Whenever you use this command, if possible, also use the permitto and permitfrom options to indicate ports to which and from which access is permitted. Without these options, external systems to which connections are made could make unrestricted connections to the internal host involved in the connection. The following are examples of potentially serious security violations that could be allowed when using the established command.

For example:

established tcp 0 4000


In this example, if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:

established tcp 0 0 (Same as previous releases established tcp 0 command.)


Examples
The following example occurs when a local host 10.1.1.1 starts a TCP connection on port 9999 to a foreign host 209.165.201.1. The example allows packets from the foreign host 209.165.201.1 on port 4242 back to local host 10.1.1.1 on port 5454.

established tcp 9999 permitto tcp 5454 permitfrom tcp 4242


The next example allows packets from foreign host 209.165.201.1 on any port back to local host 10.1.1.1 on port 5454:

established tcp 9999 permitto tcp 5454

XDMCP Support

PIX Firewall now provides support for XDMCP (X Display Manager Control Protocol) with assistance from the established command.

XDMCP is on by default, but will not complete the session unless the established command is used.

For example:

established tcp 0 6000 permitto tcp 6000 permitfrom tcp 1024-65535


This enables the internal XDMCP equipped (UNIX or ReflectionX) hosts to access external XDMCP equipped XWindows servers. UDP/177 based XDMCP negotiates a TCP based XWindows session and subsequent TCP back connections will be permitted. Because the source port(s) of the return traffic is unknown, the src_port field should be specified as 0 (wildcard). The destination port, dest_port, will typically be 6000; the well-known XServer port. The dest_port should be 6000 + n; where n represents the local display number. Use the following UNIX command to change this value.

setenv DISPLAY hostname:displaynumber.screennumber


The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connection is unknown. Only the destination port will be static. The PIX Firewall does XDMCP fixups transparently. No configuration is required, but the established command is necessary to accommodate the TCP session. Be advised that using applications like this through the PIX Firewall may open up security holes. The XWindows system has been exploited in the past and newly introduced exploits are likely to be discovered.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903

 

[Donachie]

nice..thanks v much

 

[Donachie]

worked a treat.