While writing software to convert Cisco ACLs to VyOS’s firewall syntax I got to wondering what the ‘established’ keyword meant on TCP ACLs. Although my Internet facing ACL is connected to CBAC (and therefore stateful), my inter-vLAN ACLs are stateless, and so the ‘established’ keyword comes up a lot. Additionally, I have yet to successfully get the VyOS stateful firewall working so I needed to convert the Cisco ‘established’ to the VyOS equivalent.
I wrote a script that called nmap with all 64 combinations of TCP flags and send the traffic from a host to a destination in another vLAN across my IOS router. The destination ran tcpdump to collect the data. Firstly the script ran without any access-list to verify that the destination saw all 64 packets, and secondly with an access-list with the ‘established’ keyword set.
The results were:
| RST | RST,PSH | RST,URG | RST,PSH,URG |
| RST,FIN | RST,FIN,PSH | RST,FIN,URG | RST,FIN,PSH,URG |
| RST,ACK | RST,ACK,PSH | RST,ACK,URG | RST,ACK,PSH,URG |
| RST,FIN,ACK | RST,FIN,ACK,PSH | RST,FIN,ACK,URG | RST,FIN,ACK,PSH,URG |
| ACK | ACK,PSH | ACK,URG | ACK,PSH,URG |
| ACK,SYN | ACK,SYN,PSH | ACK,SYN,URG | ACK,SYN,PSH,URG |
| ACK,FIN | ACK,FIN,PSH | ACK,FIN,URG | ACK,FIN,PSH,URG |
Of 64 possible combinations 28 are permitted. Note that the second, third and fourth columns are the first column plus ‘PSH’, ‘URG’, and ‘PSH,URG’
The table can be summarised as:
- ‘RST’ with all flags except ‘SYN’ (16 combinations)
- ‘ACK’, ‘ACK,SYN’, ‘ACK,FIN’ with ‘PSH’,’URG’, and ‘PSH,URG’