How to create firewall rules to block traffic with ToS bits?

  • Article ID: 118061
  • Updated: 13 Nov 2013


Known to apply to the following Sophos product(s) and version(s)


Sophos UTM v9
Sophos UTM v8
Sophos UTM

Operating systems
UTM Linux

What To Do

Background:

Some ISPs, such as DeutscheTelekom, impose extra costs if they should route traffic with special ToS bits. This is an extra service because they provide such traffic automatically via their backbone.

Some applications, such as telephony or IP TV, add ToS bits automatically to the IP Header without any chance to deactivate it via the GUI. As a result, the customer has to pay extra money each month because its not trackable.

Generally these ToS Bits are filtered by DeutscheTelekom:

Normal-Service 0x00
Minimize-Cost 0x02
Maximize-Reliability 0x04
Maximize-Throughput 0x08
Minimize-Delay 0x10

Solution at the UTM Gateway to drop this traffic:

  • Login to the shell via loginuser and switch to the root user.
  • create the following file:
    vi /etc/init.d/ipmangle.local
  • insert five iptables rules into this file:
    iptables -A FORWARD -m tos --tos 0x00 -j DROP
    iptables -A FORWARD -m tos --tos 0x02 -j DROP
    iptables -A FORWARD -m tos --tos 0x04 -j DROP
    iptables -A FORWARD -m tos --tos 0x08 -j DROP
    iptables -A FORWARD -m tos --tos 0x10 -j DROP


    Instead of using DROP, you can use the Parameter LOGDROP. Then each dropped packet will be written into the packetfilter logfile.
  • modify the rights of the file:
    chmod 0700 /etc/init.d/ipmangle.local
  • Restart the middleware to enable the rules:
    Attention: this restart will cause a short break of all connections at the gateway
    /etc/init.d/mdw restart

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments