XFW Filtration Rules
Tempesta xFW allows only the IPv4, IPv6, ARP, ICMPv4 and ICMPv6, GRE, TCP and UDP protocols. All other L3 and L4 protocols are blocked. Tempesta xFW also blocks fragmented IPv4 and IPv6 packets as malicious.
RFC 8955 and RFC 8956 Filtering๐
Most BGP FlowSpec filtering rules specified in RFC 8955 and RFC 8956 can be implemented in Tempesta xFW.
RFC 8955 Section 4.2.2.1 / RFC 8956 Section 3.1: Destination Prefix๐
Destination Filter applies this rule on a per-IP basis. Netmask (prefix) rules are planned for the 1.2 release.
RFC 8955 Section 4.2.2.2 / RFC 8956 Section 3.2: Source Prefix๐
Source Filter implements source netmask (prefix) filtering.
RFC 8955 Section 4.2.2.3 / RFC 8956 Section 3.3: IP Protocol๐
IP Filter filters IP packets by next-level protocol ID.
RFC 8955 Section 4.2.2.4: Port๐
Source and destination ports must be specified separately in the source and destination filters, respectively.
RFC 8955 Section 4.2.2.5: Destination Port๐
Destination Filter implements this rule on a per-port and per-address basis.
RFC 8955 Section 4.2.2.6: Source Port๐
Source Filter implements source-port filtering, which can be specified without IP addresses.
RFC 8955 Section 4.2.2.7 / RFC 8956 Section 3.4: ICMPv4 and ICMPv6 Type๐
ICMP Filter implements this rule.
RFC 8955 Section 4.2.2.8 / RFC 8956 Section 3.5: ICMPv4 and ICMPv6 Code๐
This rule is planned for the 1.2 release.
RFC 8955 Section 4.2.2.9: TCP Flags๐
TCP Anomaly Filter lets you specify prohibited TCP flag combinations.
RFC 8955 Section 4.2.2.10: Packet Length๐
This rule is planned for the 1.2 release.
RFC 8955 Section 4.2.2.11: DSCP (Differentiated Services Code Point)๐
Filtering by this field is not currently planned. If you need it, please open a new issue.
RFC 8955 Section 4.2.2.12 / RFC 8956 Section 3.6: Fragment๐
At the moment, IP Anomaly Filter blocks all IP fragments.
Configurable handling of IP fragments is planned for the 1.2 release.