Many protocols require multiple TCP connections or multiple UDP data
streams. In some protocols, the host playing the role of "server" makes
connections to the host playing the role of "client"; although the client
generally initiates the first connection, the server may initiate subsequent
connections. For many commonly used protocols, such as FTP, the PIX Firewall
scans the application layer data to find the ports on which connections may be
opened from server to client, and selectively permits the connections that have
been negotiated in the protocol. However, the PIX Firewall software does not
have support for every possible protocol.
The established command allows the PIX
Firewall to deliver traffic associated with protocols for which the firewall
software does not have specific support. When the
established command is in force, an outside server
can make a TCP or UDP connection to any inside host with which it already has a
TCP or UDP connection established. The assumption is that the new connection is
part of an unknown multiconnection protocol. The
permitto and permitfrom
parameters to the established command can be used to
control which ports on the inside host can be reached from the outside, but
there is no way to designate specific inside hosts to which the
established command should or should not apply.
The established command creates a relatively
wide opening in the firewall. If there is any existing
connection between an inside and an outside host, additional connections may be
created in either direction. Unless the permitto
and/or permitfrom keywords have been used, these
connections may use any port number on either host.
Conduits, created with the static and
conduit commands, provide a way for the firewall
administrator to permit access from outside the firewall to selected ports on
hosts inside the firewall. A conduit might, for example, be used to provide
access to a mail server by allowing outside hosts to connect to TCP port 25 on
the mail host.
The two features interact in a way that has surprised some firewall
administrators. Suppose that a PIX Firewall has the established
tcp command in its configuration file, and that a conduit has
been created to allow outside hosts to connect to port 25 on an inside mail
server, host A. If outside host B takes advantage of this conduit to connect to
host A's mail service, a TCP connection will be created. As long as this TCP
connection to A's mail port is active, the
established command will permit host B to make
additional connections to other ports on host A. Since host B can initiate mail
connections at will, and can hold those connections open for as long as it
wants, the net effect is that host B can make a TCP connection to any port on
host A at any time.
Users who make this configuration error are generally under one of two
misconceptions about the established command. The
facts are that:
The existence of any connection between an
inside and an outside host is sufficient for the
established command to permit connections from the
outside host to the inside host. The direction in which the original connection
was made is not checked.
The established command has its full
effect even if the existing connection was made to a well-known port. Even
though the original connection may involve a protocol that is supported by the
PIX Firewall software, the established command will
still permit subsequent connections.
Cisco will update the PIX Firewall documentation to clarify these
Because the reasons for using the
established command differ from installation to
installation, there is no configuration change that will work for all users.
Cisco recommends that all customers whose PIX Firewall configuration files
contain both conduits and the established command
review their configurations to make sure that those configurations implement
the expected security policies.
The established command was meant as a
special measure for users with relatively unusual situations, and Cisco does
not recommend its routine use. If the established
command is used, port ranges should almost always be specified using the