Setting (acceptance/ rejection) for destination IP and services (port number/ service group)

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes the functions which accept or reject IP communications which pass through the firewall.

Flow of the packet filtering settings

1.Setting the name of the packet filtering settings
2.Specifying a destination IP address, port number (etc.) and setting acceptance and rejection rules for them
3.Setting acceptance and rejection rules for communications regarding IP addresses which do not apply to the rules made in Step 2
4.Specifying the filtering direction of the interface to which the packet filtering settings made in Step 1 are to be applied

Setting rejection in terms of a destination port number

Make settings to reject communications forwarded to a specific destination IP address and port number by means of the firewall interface and
to forward communications forwarded to other destinations.

Presumed case for sample setting

  • To reject communications forwarded to the destination having an IP address “192.168.2.13” and port number 80 (HTTP)

  • To enable for traffic which is input to interface “dp0s6”

  • To accept and forward all communications forwarded to destinations other than one having an IP address “192.168.2.13” and port number 80

Configuration diagram
Fig15

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose destination has an IP address “192.168.2.13” and port number 80 are rejected
3.Setting for accepting packets whose destinations are other than one having an IP address “192.168.2.13” and port number 80
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination address '192.168.2.13'
set security firewall name test_rule rule 10 destination port '80'
set security firewall name test_rule rule 10 protocol 'tcp'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       address 192.168.2.13
                                       port 80
                               }
                               protocol tcp
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Communications (Ping) forwarded to the destination having an IP address “192.168.2.12” and port number 80 succeeded,
but communications forwarded from server “192.168.3.3” to the destination having an IP address “192.168.2.13” and port number 80 failed,
and thus it was confirmed that the packet filtering function worked.
#192.168.2.12 -> OK

test@web1:~$ wget http://192.168.2.12
--2016-07-20 17:15:03--  http://192.168.2.12/
Connecting to 192.168.2.12:80 ... Connected
200 OK
Length: 612 [text/html]
`index.html' saving

100%[==================================================================================================================>] 612         --.-K/s   Time 0s

2016-07-20 17:15:03 (132 MB/s) - `index.html' saved [612/612]


#192.168.2.13 -> NG

test@web1:~$ wget http://192.168.2.13
--2016-07-20 17:15:07--  http://192.168.2.13/
Connecting to 192.168.2.13:80 ... ^C

Setting acceptance in terms of a destination port number

To accept only communications forwarded to a destination having a specific destination IP address and port number;
by means of the interface of the firewall.

Presumed case for sample setting

  • and for communications forwarded to other destinations, to forward only communications forwarded to the destination having an IP address “192.168.2.13” and port number 80 (HTTP)

  • To enable for traffic which is input to interface “dp0s6”

  • To reject all communications forwarded to destinations other than one having an IP address “192.168.2.13” and port number 80

Configuration diagram
Fig16

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose destination has an IP address “192.168.2.13” and port number 80 are accepted
3.Setting for rejecting packets whose destinations are other than one having an IP address “192.168.2.13” and port number 80
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.2.13'
set security firewall name test_rule rule 10 destination port '80'
set security firewall name test_rule rule 10 protocol 'tcp'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.2.13
                                       port 80
                               }
                               protocol tcp
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Communications forwarded to the destination having an IP address “192.168.2.13” and port number 80 succeeded,
but communications forwarded from server “192.168.3.3” to the destination having an IP address “192.168.2.12” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#192.168.2.12 -> NG

test@web1:~$ wget http://192.168.2.12
--2016-07-20 17:33:30--  http://192.168.2.12/
Connecting to 192.168.2.12:80 ... ^C


#192.168.2.13 -> OK

test@web1:~$ wget http://192.168.2.13
--2016-07-20 17:33:33--  http://192.168.2.13/
Connecting to 192.168.2.13:80 ... Connected.
200 OK
Length: 612 [text/html]
`index.html.3' saving

100%[==================================================================================================================>] 612         --.-K/s   Time 0s

2016-07-20 17:33:33 (157 MB/s) - `index.html.3' saved [612/612]

Setting rejection in terms of a destination port number (range specification)

Make settings to reject only communications which use specific destination port numbers (range specification) by means of the firewall interface
and to forward other communications.

Presumed case for sample setting

  • To reject only communications which use destination port numbers 1080 to 1081

  • To enable for traffic which is input to interface “dp0s5”

  • To forward all communications other than those which use destination port numbers 1080 to 1081

Configuration diagram
Fig17

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets that use destination port numbers 1080 to 1081 are rejected,
3.Setting for accepting packets which use destination port numbers other than 1080 to 1081
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination port '1080-1081'
set security firewall name test_rule rule 10 protocol 'tcp'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
 interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       port 1080-1081
                               }
                               protocol tcp
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
and communications forwarded from server “192.168.2.12” to the destinations having an IP address “192.168.3.3” and port numbers 1080/1081 failed
and allows to confirm that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-08-01 12:06:45--  http://192.168.3.3/
Connecting to 192.168.3.3:80 ... Connected
200 OK
Length: 616 [text/html]
`STDOUT' saving

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-08-01 12:06:45 (168 MB/s) - stdout saved [616/616]


#port 1080 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-08-01 12:06:53--  http://192.168.3.3:1080/
Connecting to 192.168.3.3:1080 ... ^C

#port 1081 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-08-01 12:07:00--  http://192.168.3.3:1081/
Connecting to 192.168.3.3:1081 ... ^C

Setting acceptance in terms of a destination port number (range specification)

To accept only communications which use specific destination port numbers (range specification); and for other communications,
by means of the interface of the firewall.

Presumed case for sample setting

  • to forward only communications which use destination port numbers 1080 to 1081

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications other than those which use destination port numbers 1080 to 1081

Configuration diagram
Fig18

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets that use destination port numbers 1080 to 1081 are accepted
3.Setting for rejecting packets which use destination port numbers other than 1080 to 1081
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination port '1080-1081'
set security firewall name test_rule rule 10 protocol 'tcp'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       port 1080-1081
                               }
                               protocol tcp
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port numbers 1080/1081 succeeded,
but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.3.3” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-07-29 17:03:13--  http://192.168.3.3/
Connecting to 192.168.3.3:80 ... ^C

#port 1080 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-07-29 17:03:18--  http://192.168.3.3:1080/
Connecting to 192.168.3.3:1080 ... Connected
200 OK
Length: 616 [text/html]
`STDOUT' saving

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-07-29 17:03:18 (134 MB/s) - stdout saved [616/616]


#port 1081 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-07-29 17:03:23--  http://192.168.3.3:1081/
Connecting to 192.168.3.3:1081 ... Connected
200 OK
Length: 616 [text/html]
`STDOUT' saving

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-07-29 17:03:23 (138 MB/s) - stdout saved [616/616]

Setting rejection in terms of a destination port number (service group)

Define the service group and set port numbers to be included in the group.
Make settings to reject communications which use port numbers registered in the service group as destination port numbers
by means of the firewall interface and to forward communications which use other port numbers as destinations
.

Note

The service group (port group setting) is available as a list having multiple port numbers registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • To reject only communications which use destination port numbers 1080 to 1081

  • To set the port numbers above as service group members

  • To enable for traffic which is input to interface “dp0s5”

  • To forward all communications other than those which use destination port numbers 1080 to 1081

Configuration diagram
Fig17

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting port numbers 1080 and 1081 into service group p1.
3.Setting rule 10 by which packets of service group p1 are rejected
4.Setting for accepting packets which use destination port numbers other than service group p1
5.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set resources group port-group p1 port '1080'
set resources group port-group p1 port '1081'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination port 'p1'
set security firewall name test_rule rule 10 protocol 'tcp'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
resources {
       group {
               port-group p1 {
                       port 1080
                       port 1081
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       port p1
                               }
                               protocol tcp
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port numbers 1080/1081 succeeded,
but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.3.3” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3
--2016-07-29 16:25:58--  http://192.168.3.3/
Connetcing to 192.168.3.3:80 ... Connected
200 OK
Length: 616 [text/html]
`STDOUT' saving

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-07-29 16:25:58 (174 MB/s) - stdout saved [616/616]

#port 1080 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1080
--2016-07-29 16:26:01--  http://192.168.3.3:1080/
Connecting to 192.168.3.3:1080 ... ^C

#port 1081 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1081
--2016-07-29 16:26:06--  http://192.168.3.3:1081/
Connecting to 192.168.3.3:1081... ^C

Setting acceptance in terms of a destination port number (service group)

Define the service group and set port numbers to be included in the group.
Make settings to forward communications which use port numbers registered in the service group as destination port numbers
and to reject communications which use other port numbers as destinations.
by means of the interface of the firewall.

Note

The service group (port group setting) is available as a list having multiple port numbers registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • to forward only communications which use destination port numbers 1080 to 1081

  • To set the addresses above as an address group

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications other than those which use destination port numbers 1080 to 1081

Configuration diagram
Fig18

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting port numbers 1080 and 1081 into service group p1.
2.Setting rule 10 by which packets of service group p1 are accepted
3.Setting for rejecting packets which use destination port numbers other than service group p1
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set resources group port-group p1 port '1080'
set resources group port-group p1 port '1081'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination port 'p1'
set security firewall name test_rule rule 10 protocol 'tcp'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
                firewall {
                        in test_rule
                }
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
        }
 }
 resources {
        group {
                port-group p1 {
                        port 1080
                        port 1081
                }
        }
 }
 security {
        firewall {
                name test_rule {
                        default-action drop
                        rule 10 {
                                action accept
                                destination {
                                        port p1
                                }
                                protocol tcp
                        }
                }
        }
 }

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port numbers 1080/1081 succeeded,
but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.3.3” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
    #port 80 -> NG

    test@ubu01:~$ wget -O - http://192.168.3.3:1080
    --2016-07-29 16:35:51--  http://192.168.3.3/
    Connecting to 192.168.3.3:80 ... ^C

    #port 1080 -> OK

    test@ubu01:~$ wget -O - http://192.168.3.3:1080
    --2016-07-29 16:35:56--  http://192.168.3.3:1080/
    Connecting to 192.168.3.3:1080 ... Connected
200 OK
    Length: 616 [text/html]
    `STDOUT' saving

    100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

    2016-07-29 16:35:56 (175 MB/s) - stdout saved [616/616]

    #port 1081 -> OK

    test@ubu01:~$ wget -O - http://192.168.3.3:1081
    --2016-07-29 16:36:02--  http://192.168.3.3:1081/
    Connecting to 192.168.3.3:1081 ... Conected
    200 OK
    Length: 616 [text/html]
    `STDOUT' saving

    100%[========================================================================================================================================================================================================>] 616         --.-K/s   TIme 0s

    2016-07-29 16:36:02 (171 MB/s) - stdout saved [616/616]