华三防火墙针对TCP协议会话的ASPF机制探究

不涉及

不涉及

ASPF（Advanced Stateful Packet Filter，高级状态包过滤）是为了解决包过滤防火墙存在的问题而提出的概念，主要功能有

·              应用层协议检测：检查应用层协议信息，如报文的协议类型和端口号等信息，并且监控每一个连接的应用层协议状态。对于所有连接，每一个连接状态信息都将被ASPF维护，并用于动态地决定数据包是否被允许通过防火墙进入内部网络，以阻止恶意的入侵。

·              传输层协议检测：检测传输层协议信息，包括TCP协议、UDP协议、UDP-Lite协议、SCTP协议、Raw IP协议、ICMP协议、ICMPv6协议和DCCP协议。例如TCP/UDP检测，能够根据源、目的地址及端口号决定TCP或UDP报文是否可以通过防火墙进入内部网络。

·              ICMP差错报文检测：正常ICMP差错报文中均携带有本报文对应连接的相关信息，根据这些信息可以匹配到相应的连接。如果匹配失败，则根据当前配置决定是否丢弃该ICMP报文。

·              TCP连接首包检测：对TCP连接的首报文进行检测，查看是否为SYN报文，如果不是SYN报文则根据当前配置决定是否丢弃该报文。缺省情况下，不丢弃非SYN首包，适用于不需要严格TCP协议状态检查的组网场景。例如当防火墙设备首次加入网络时，网络中原有TCP连接的非首包在经过新加入的设备时如果被丢弃，会中断已有的连接，造成不好的用户体验，因此建议暂且不丢弃非SYN首包，等待网络拓扑稳定后，再开启非SYN首包丢弃功能。

对于ASPF的研究可以参考该案例：H3C防火墙ASPF状态检测机制

本案例针对TCP协议简述防火墙处理流程

常见的TCP状态机流程图如下：

先说结论，目前防火墙默认syn包，和ack报文在策略允许的情况下可以建立会话，syn+ack，fin+ack，reset+ack不可以建立会话。

syn包建立会话以及syn/ack无法建立会话这些观点应该没有问题，下面测试ack报文能否建立会话：

Receiving, interface = M-GigabitEthernet1/0/0/0

version = 4, headlen = 20, tos = 0

pktlen = 40, pktid = 53008, offset = 0, ttl = 128, protocol = 6

checksum = 56064, s = 10.153.43.154, d = 10.63.16.77

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Receiving IP packet from interface M-GigabitEthernet1/0/0/0.

Payload: TCP

  source port = 4151, destination port = 80

  sequence num = 0x270bd60e, acknowledgement num = 0xd89bde2f, flags = 0x10

  window size = 65535, checksum = 0x9aa9, header length = 20.

 

 

*Jan 13 18:45:06:648 2024 F5080D_1 SESSION/7/TABLE:

 Tuple5(EVENT): 10.153.43.154/4151-->10.63.16.77/80(TCP(6))

 Session entry was created.

*Jan 13 18:45:06:648 2024 F5080D_1 FILTER/7/PACKET: The packet is permitted. Src-ZOne=Management, Dst-ZOne=DMZ;If-In=M-GigabitEthernet1/0/0/0(325), If-Out=Route-Aggregation1.100(337); Packet Info:Src-IP=10.153.43.154, Dst-IP=10.63.16.77, VPN-Instance=, Src-MacAddr=0024-e8ae-161f,Src-Port=4151, Dst-Port=80, Protocol=TCP(6), Application=http(31),Terminal=invalid(0), Url-category=invalid(65535), SecurityPolicy=any, Rule-ID=0.

 

*Jan 13 18:45:06:648 2024 F5080D_1 IPFW/7/IPFW_PACKET:

Sending, interface = Route-Aggregation1.100

version = 4, headlen = 20, tos = 0

pktlen = 40, pktid = 53008, offset = 0, ttl = 127, protocol = 6

checksum = 56320, s = 10.153.43.154, d = 10.63.16.77

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Sending IP packet received from interface M-GigabitEthernet1/0/0/0 at interface Route-Aggregation1.100.

Payload: TCP

  source port = 4151, destination port = 80

  sequence num = 0x270bd60e, acknowledgement num = 0xd89bde2f, flags = 0x10

  window size = 65535, checksum = 0x9aa9, header length = 20.

查看会话计数，确实收到一个报文就建立会话：

RBM_P<F5080D_1>disp session ta ipv4 dest 80 v

Slot 0 in chassis 1:

Initiator:

  Source      IP/port: 10.153.43.154/4151

  Destination IP/port: 10.63.16.77/80

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: M-GigabitEthernet1/0/0/0

  Source security zone: Management

Responder:

  Source      IP/port: 10.63.16.77/80

  Destination IP/port: 10.153.43.154/4151

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Route-Aggregation1.100

  Source security zone: DMZ

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 0

Rule name: any

Start time: 2024-01-13 18:45:06  TTL: 1194s

Initiator->Responder:            1 packets         40 bytes

 

Responder->Initiator:            0 packets          0 bytes

如果收到正向的syn报文能否转发呢，答案是可以：

RBM_P<F5080D_1>disp session ta ipv4 dest 80 v

Slot 0 in chassis 1:

Initiator:

  Source      IP/port: 10.153.43.154/4151

  Destination IP/port: 10.63.16.77/80

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: M-GigabitEthernet1/0/0/0

  Source security zone: Management

Responder:

  Source      IP/port: 10.63.16.77/80

  Destination IP/port: 10.153.43.154/4151

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Route-Aggregation1.100

  Source security zone: DMZ

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 0

Rule name: any

Start time: 2024-01-13 18:45:06  TTL: 1196s

Initiator->Responder:            2 packets         88 bytes

 

Responder->Initiator:            0 packets          0 bytes

如果收到反向的syn/ack或者syn能否转发呢，答案还是可以。

RBM_P<F5080D_1>disp session ta ipv4 dest 80 v

Slot 0 in chassis 1:

Initiator:

  Source      IP/port: 10.153.43.154/4151

  Destination IP/port: 10.63.16.77/80

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: M-GigabitEthernet1/0/0/0

  Source security zone: Management

Responder:

  Source      IP/port: 10.63.16.77/80

  Destination IP/port: 10.153.43.154/4151

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Route-Aggregation1.100

  Source security zone: DMZ

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 0

Rule name: any

Start time: 2024-01-13 18:45:06  TTL: 1171s

Initiator->Responder:            2 packets         88 bytes

Responder->Initiator:            1 packets         48 bytes

---------------------------------------------------------------------------------

Slot 0 in chassis 1:

Initiator:

  Source      IP/port: 10.153.43.154/4151

  Destination IP/port: 10.63.16.77/80

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: M-GigabitEthernet1/0/0/0

  Source security zone: Management

Responder:

  Source      IP/port: 10.63.16.77/80

  Destination IP/port: 10.153.43.154/4151

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: TCP(6)

  Inbound interface: Route-Aggregation1.100

  Source security zone: DMZ

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 0

Rule name: any

Start time: 2024-01-13 18:45:06  TTL: 1193s

Initiator->Responder:            2 packets         88 bytes

 

Responder->Initiator:            2 packets         96 bytes

有些友商的机制和我司实现并不相同，譬如：

我司可以使用如下命令配置ACK报文无法建立会话：

tcp syn-check命令用来开启非SYN的TCP首报文丢弃功能。

undo tcp syn-check命令用来关闭非SYN的TCP首报文丢弃功能。

【命令】

tcp syn-check

undo tcp syn-check

【缺省情况】

非SYN的TCP首报文丢弃功能处于关闭状态。

【视图】

ASPF策略视图

【缺省用户角色】

network-admin

mdc-admin

vsys-admin

【使用指导】

ASPF对TCP连接的首报文进行检测，查看是否为SYN报文，如果不是SYN报文则根据当前配置决定是否丢弃该报文。

当设备首次加入网络时，网络中原有TCP连接的非首包在经过新加入的设备时如果被丢弃，会中断已有的连接，造成不好的用户体验，因此建议暂且不丢弃非SYN首包，等待网络拓扑稳定后，再开启非SYN首包丢弃功能。

【举例】

# 设置ASPF策略1丢弃非SYN的TCP首报文。

<Sysname> system-view

[Sysname] aspf policy 1

[Sysname-aspf-policy-1] tcp syn-check