Filtering settings which use destination IP addresses (direct specification/ range specification/ address group).

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes the functions which accept or reject IP communications which pass through the firewall.

Flow of the packet filtering settings

1.Setting the name of the packet filtering settings
2.Specifying the destination IP address and setting acceptance and rejection rules for the address
3.Setting acceptance and rejection rules for communications regarding IP addresses which do not apply to the rules made in Step 2
4.Specifying the filtering direction of the interface to which the packet filtering settings made in Step 1 are to be applied

Setting for rejecting communications originated from a specific destination IP address

Make settings to reject only communications forwarded to a specific destination IP address by means of the firewall interface.

Presumed case for sample setting

  • To reject communications forwarded to IP address “192.168.2.13”

  • To enable for traffic which is input to interface “dp0s6”

  • To make settings for accepting all communications forwarded to destination IP addresses other than “192.168.2.13”

Configuration diagram
Fig11

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose destination IP address is “192.168.2.13” are rejected
3.Setting for accepting packets whose destination addresses are other than “192.168.2.13”
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address '192.168.2.13'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       address 192.168.2.13
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
that communications originated from server “192.168.3.3” in the configuration diagram succeeded and
communications originated from “192.168.2.12” not belonging to address group g1 failed
and allows to confirm that the packet filtering function worked.
#192.168.2.12 -> OK

test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
64 bytes from 192.168.2.12: icmp_seq=1 ttl=63 time=2.84 ms
64 bytes from 192.168.2.12: icmp_seq=2 ttl=63 time=1.72 ms
64 bytes from 192.168.2.12: icmp_seq=3 ttl=63 time=1.32 ms
64 bytes from 192.168.2.12: icmp_seq=4 ttl=63 time=1.62 ms
^C
--- 192.168.2.12 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.320/1.878/2.844/0.579 ms


#192.168.2.13 -> NG

test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6040ms

Setting for accepting communications originated from a specific destination IP address

Make settings for accepting and forwarding only communications forwarded to a specific destination IP address and
for rejecting communications forwarded to other IP addresses by means of the firewall interface.

Presumed case for sample setting

  • To accept and forward only communications forwarded to destination IP address “192.168.2.13”

  • To enable for traffic which is input to interface “dp0s6”

  • To reject and stop all communications forwarded to destination IP addresses other than “192.168.2.13”

Configuration diagram
Fig12

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose destination IP address is “192.168.2.13” are accepted
3.Setting for rejecting packets whose destination addresses are other than “192.168.2.13”
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.13'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.2.13
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Settings for accepting communications (Ping) forwarded to “192.168.2.13” and
and allows to confirm that the packet filtering function worked.
#192.168.2.12 -> NG

test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms


#192.168.2.13 -> OK

test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
64 bytes from 192.168.2.13: icmp_seq=1 ttl=63 time=4.63 ms
64 bytes from 192.168.2.13: icmp_seq=2 ttl=63 time=2.73 ms
64 bytes from 192.168.2.13: icmp_seq=3 ttl=63 time=2.63 ms
64 bytes from 192.168.2.13: icmp_seq=4 ttl=63 time=3.58 ms
^C
--- 192.168.2.13 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 2.638/3.399/4.638/0.806 ms

rejecting communications forwarded to other IP addresses through use of destination IP addresses (range specification)

Make settings to reject communications forwarded to a specific range of destination IP addresses by means of the firewall interface and
to forward communications forwarded to other destination IP addresses.

Presumed case for sample setting

  • To reject communications forwarded to destination IP address “192.168.2.12/30”

  • To enable for traffic which is input to interface “dp0s6”

  • To forward all communications forwarded to destination IP addresses other than “192.168.2.4/30”

Note

The hosts in the range of “192.168.2.12/30” are those having the following four IP address: “192.168.2.12”, “192.168.2.13”, “192.168.2.14”, and “192.168.2.15”.

Configuration diagram
Fig13

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose destination IP address is “192.168.2.12/30” are rejected
3.Setting for accepting packets whose destination addresses are other than “192.168.2.12/30”
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address '192.168.2.12/30'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       address 192.168.2.12/30
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Settings for accepting communications (Ping) forwarded to “192.168.2.6”
and allows to confirm that the packet filtering function worked.
#192.168.2.6 -> OK

test@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=3.35 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=1.72 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.24 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.22 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.43 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.19 ms
^C
--- 192.168.2.6 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 1.193/1.695/3.352/0.762 ms


#192.168.2.12 -> NG

test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6046ms


#192.168.2.13 -> NG

test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5040ms

through use of destination IP addresses (range specification) for “192.168.2.12/30”

To accept only communications forwarded to a specific range of destination IP addresses; and
for rejecting communications forwarded to other IP addresses by means of the firewall interface.

Presumed case for sample setting

  • for communications forwarded to other IP addresses, to forward only communications forwarded to “192.168.2.4/30”

  • To enable for traffic which is input to interface “dp0s6”

  • To reject all communications forwarded to destination IP addresses other than “192.168.2.4/30”

Note

The hosts in the range of “192.168.2.4/30” are those having the following four IP address: “192.168.2.4”, “192.168.2.5”, “192.168.2.6”, and “192.168.2.7”.

Configuration diagram
Fig13

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose destination IP address is “192.168.2.4/30” are accepted
3.Setting for rejecting packets whose destination addresses are other than “192.168.2.4/30”
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.4/30'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.2.4/30
                               }

                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Settings for accepting communications (Ping) forwarded to “192.168.2.6”
and allows to confirm that the packet filtering function worked.
#192.168.2.6 -> OK

test@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=3.33 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=1.65 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.77 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.66 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.66 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.88 ms
64 bytes from 192.168.2.6: icmp_seq=7 ttl=63 time=2.07 ms
^C
--- 192.168.2.6 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6010ms
rtt min/avg/max/mdev = 1.655/2.008/3.339/0.564 ms

#192.168.2.12 -> NG

test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6047ms


#192.168.2.13-> NG

test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8064ms

through use of destination IP addresses (address group) for addresses other than “192.168.2.4/30”

Define the address group and set IP addresses to be included in the group.
Make settings to reject communications forwarded to IP addresses registered in an address group by means of the firewall interface
and to accept and forward communications forwarded to other destination IP addresses.

Note

The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • To reject communications forwarded to IP addresses “192.168.2.12” and “192.168.2.13”

  • To set the addresses above as an address group

  • To enable for traffic which is input to interface “dp0s5”

  • To forward all communications forwarded to destination IP addresses other than those registered in an address group

Configuration diagram
Fig13

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting “192.168.2.12” and “192.168.2.13” as members of address group g1
3.Setting rule 10 by which packets whose destination IP is address group g1 are rejected
4.Setting for accepting packets whose destination IP is other than address group g1
5.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set resources group address-group g1 address 192.168.2.12
set resources group address-group g1 address 192.168.2.13
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address 'g1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
resources {
       group {
               address-group g1 {
                       address 192.168.2.12
                       address 192.168.2.13
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       address g1
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Settings for accepting communications (Ping) forwarded to “192.168.2.6”
and allows to confirm that the packet filtering function worked.
#192.168.2.6 -> OK

itest@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=3.20 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=1.42 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.43 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.18 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.26 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.31 ms
^C
--- 192.168.2.6 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 1.186/1.638/3.204/0.706 ms

#192.168.2.12 -> NG

test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
^C
--- 192.168.2.12 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms

#192.168.2.13 -> NG

test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

through use of destination IP addresses (address group) for address group g1

Define the address group and set IP addresses to be included in the group.
To accept communications forwarded to IP addresses registered in an address group;
and for communications forwarded to other IP addresses,
by means of the interface of the firewall.

Note

The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • to forward only communications forwarded to “192.168.2.6” and “192.168.2.12”.

  • To set the addresses above as an address group

  • To enable for traffic which is input to interface “dp0s6”

  • To reject all communications forwarded to destination IP addresses other than those registered in an address group

Configuration diagram
Fig14

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting “192.168.2.6” and “192.168.2.12” as members of address group g1
3.Setting rule 10 by which packets whose destination IP is address group g1 are accepted
4.Setting for rejecting packets whose destination IP is other than address group g1
5.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set resources group address-group g1 address 192.168.2.6
set resources group address-group g1 address 192.168.2.12
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address 'g1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
               in test_rule
               }
       }
}
resources {
       group {
               address-group g1 {
                       address 192.168.2.6
                       address 192.168.2.12
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address g1
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Communications (Ping) forwarded to “192.168.2.6” and “192.168.2.12” succeeded,
but communications (Ping) forwarded to IP addresses not belonging to address group g1 failed,
and thus it was confirmed that the packet filtering function worked.
#192.168.2.6 -> OK

test@web1:~$ ping 192.168.2.6
PING 192.168.2.6 (192.168.2.6) 56(84) bytes of data.
64 bytes from 192.168.2.6: icmp_seq=1 ttl=63 time=15.8 ms
64 bytes from 192.168.2.6: icmp_seq=2 ttl=63 time=2.21 ms
64 bytes from 192.168.2.6: icmp_seq=3 ttl=63 time=1.79 ms
64 bytes from 192.168.2.6: icmp_seq=4 ttl=63 time=1.52 ms
64 bytes from 192.168.2.6: icmp_seq=5 ttl=63 time=1.45 ms
64 bytes from 192.168.2.6: icmp_seq=6 ttl=63 time=1.88 ms
64 bytes from 192.168.2.6: icmp_seq=7 ttl=63 time=1.32 ms
^C
--- 192.168.2.6 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 1.327/3.726/15.885/4.971 ms

#192.168.2.12 -> OK

test@web1:~$ ping 192.168.2.12
PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
64 bytes from 192.168.2.12: icmp_seq=1 ttl=63 time=2.95 ms
64 bytes from 192.168.2.12: icmp_seq=2 ttl=63 time=1.77 ms
64 bytes from 192.168.2.12: icmp_seq=3 ttl=63 time=1.77 ms
64 bytes from 192.168.2.12: icmp_seq=4 ttl=63 time=1.76 ms
64 bytes from 192.168.2.12: icmp_seq=5 ttl=63 time=1.91 ms
64 bytes from 192.168.2.12: icmp_seq=6 ttl=63 time=1.62 ms
^C
--- 192.168.2.12 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 1.621/1.965/2.950/0.452 ms

#192.168.2.13 -> NG

test@web1:~$ ping 192.168.2.13
PING 192.168.2.13 (192.168.2.13) 56(84) bytes of data.
^C
--- 192.168.2.13 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms