Services

This section includes the following topics:

General parameters
TCP and UDP based services
ICMP based services
User defined IP protocol
Service groups

A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80.

Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not. That decision is made entirely by the firewall rules, in which the service is used as a filter parameter. For more information about how to use services in rules, please see the Rules section.

In almost all cases, service definitions are static throughout all firewalls in a network. In other words, the http service, for instance, should most likely be defined to use port 80, independently of in what firewall it is used. For this reason, the recommendation is to place services in namespace configurations rather than in local firewall configurations. In fact, the Global Namespace contains by default a large number of pre-defined services that covers many of the application protocols used on the Internet today.

General parameters

There are a number of parameters that are common to all types of services. These can be found in the first page, named Service, of the service properties dialog box.

Name ?Specifies the name of the service.

Type - The type of the service. Can be one of:

TCP ?This service is based on the TCP protocol.
Please see TCP and UDP based services for more information.
UDP ?This service is based on the UDP protocol.
Please see TCP and UDP based services for more information.
TCP/UDP ?This service is based on either the TCP or the UDP protocol.
Please see TCP and UDP based services for more information.
ICMP ?This service is based on the ICMP protocol.
Please see ICMP based services for more information.
All ?This service matches all protocols.
IPProto ?This service is using a user-defined IP protocol.
Please see User-defined IP protocol for more information.
Group ?This is a service group.
Please see Service groups for more information.

Pass returned ICMP error messages from destination ?ICMP error messages are sent in several situations: for example, when an IP packet cannot reach its destination. The purpose of these error control messages is to provide feedback about problems in the communication environment.

However, ICMP error messages and firewalls are usually not a very good combination; the ICMP error messages are initiated at the destination host (or a device within the path to the destination) and sent to the originating host. The result is that the ICMP error message will be interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the firewall rule-set. Now, allowing any inbound ICMP message to be able have those error messages forwarded is generally not a good idea. Hacking techniques, for instance firewalking, make use of ICMP messages to exploit protected networks.

To solve this problem, Amaranten Firewall can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service.

SYN flood protection ?Enabling this function protects the destination addresses in connections using this service from SYN flooding via a mechanism called "SYN Relay".

Application Layer Gateway ?Specifies which Application Layer Gateway that should be used to manage this service. For more information, please see the section Application Layer Gateways.

Max Sessions ?Specifies how many concurrent sessions that are permitted using this service. This parameter is only available for Application Layer Gateway enabled services.

TCP and UDP based services

If the type of the service has been specified as TCP, UDP or TCP/UDP, the second page of the service properties dialog box is used to specify TCP and UDP source and destination ports.

For many services, a single destination port is sufficient. The http service, for instance, is using destination port 80. In these cases, all ports (0-65535) will be accepted as source ports. To use a single destination port, select the Destination Port option and enter the port number in the corresponding text box.

The second option is to define a service as using source and destination port ranges. A port range is inclusive, meaning that a range 137-139 covers ports 137, 138 and 139.

Multiple ranges or individual ports may also be entered, separated by commas. For instance, a service can be defined as having source ports 1024-65535 and destination ports 80-82, 90-92, 95. In this case, a TCP or UDP packet with the destination port being one of 80, 81, 82, 90, 91, 92 or 95, and the source port being in the range 1024-65535, will match this service.

To use port ranges, select the Port Ranges option and enter the port ranges in the source and destination edit boxes, respectively.

ICMP based services

If the type of the service has been specified as ICMP, the second page of the service properties dialog box is used to specify ICMP Message Types and Codes.

An ICMP message includes a Message Type that specifies the type, that is, the format of the ICMP message, and a Code that is used to further qualify the message. For example, the message type Destination Unreachable, uses the Code parameter to specify the exact reason for the error.

If the All ICMP Message Types option is selected, this service will match all 256 possible ICMP Message Types.

Selecting the ICMP Message Types option allows for individual message types and codes to be specified.

In the sample shown to the right, the Destination Unreachable message has been checked and the corresponding Codes edit box contains the codes 0, 1, 2 and 3. The result is that this service will match four specific ICMP Destination Unreachable messages, namely Network unreachable, Host unreachable, Protocol unreachable and Port unreachable. If the codes edit box is left blank, the service will match all codes of the corresponding message type.

User-defined IP protocol

When the type of the service is IPProto, an IP protocol number may be specified in the second page of the services properties dialog box. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of all defined IP protocols can be found at http://www.isi.edu/in-notes/iana/assignments/protocol-numbers.

IP protocol ranges can be used to specify multiple IP protocols for one service. An IP protocol range is similar to the TCP and UDP port range described previously; the range 1-4, 7 will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT.

Service groups

Services can be grouped in order to simplify configuration. Consider a web server using standard http as well as SSL encrypted http (https). Instead of having to create two separate rules allowing both types of services through the firewall, a service group named, for instance, Web, can be created, with the http and the https services as group members.

To create a service group, first select Group as the service type, and then specify the group members in the second page of the service properties dialog box. In the sample shown to the right, a service group named E-mail has been created. In this service group, the three services SMTP, POP3 and IMAP have been specified. Now, when this E-mail group is used in the firewall rule-set, only one rule is required to match all three e-mail protocols.

For more information about how to add and remove group members, please see the section Working with groups.