Filtering Settings Which Use Source IP Addresses (Direct Specification/ Range Specification/ Address Group)

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes the functions which accept or reject IP communications (IP address range/ address group)
which pass through the firewall.

Flow of the packet filtering settings

1.Setting the name of the packet filtering settings
2.Specifying source IP addresses (range/ address group) and setting acceptance and rejection rules for the addresses
3.Setting acceptance and rejection rules for communications regarding IP addresses which do not apply to the rules made in Step 2
4.Specifying the filtering direction of the interface to which the packet filtering settings made in Step 1 are to be applied

Setting for rejecting communications originated from a specific source IP address

Make settings to reject communications originated from a specific source address by means of the firewall interface
.

Presumed case for sample setting

  • To reject and stop communications originated from a host whose source IP address is “192.168.2.13”

  • To enable for traffic which is input to interface “dp0s5”

  • To make settings for accepting all communications originated from hosts whose source IP addresses are other than “192.168.2.13”

Configuration diagram
Fig1

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting a rule by which packets whose source IP address is “192.168.2.13” are rejected as 10
3.Setting for accepting packets whose source addresses are other than “192.168.2.13”
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 source address '192.168.2.13'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               source {
                                       address 192.168.2.13
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications (Ping) forwarded to “192.168.3.3” succeeded, but communications (Ping) originated from the IP address “192.168.2.13” specified through filtering settings failed,
and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#192.168.2.12 -> OK

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=5.31 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=1.30 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.83 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=0.987 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=0.990 ms
64 bytes from 192.168.3.3: icmp_seq=6 ttl=63 time=1.13 ms
^C
--- 192.168.3.3 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 0.987/1.928/5.319/1.544 ms


#192.168.2.13 -> NG

test@ubu04:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3023ms

Setting for accepting communications originated from a specific source IP address

To accept only communications originated from a specific source IP address; and for communications originated from other source IP addresses,
for rejecting communications forwarded to other IP addresses by means of the firewall interface.

Presumed case for sample setting

  • to forward only communications originated from source IP address “192.168.2.13”

  • To enable for traffic which is input to interface “dp0s5”

  • To reject and stop all communications originated from source IP addresses other than “192.168.2.13”

Configuration diagram
Fig2

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose source IP address is “192.168.2.13” are accepted
3.Setting for rejecting packets whose source addresses are other than “192.168.2.13”
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 source address '192.168.2.13'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               source {
                                       address 192.168.2.13
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) forwarded from server “192.168.2.13” in the configuration diagram to “192.168.3.3” succeeded
and communications (Ping) originated from filtering-set server “192.168.2.12” to “192.168.3.3” failed
and allows to confirm that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#192.168.2.13 -> OK

test@ubu04:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=3.27 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=4.03 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.76 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=2.03 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=2.36 ms
^C
--- 192.168.3.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.769/2.695/4.034/0.841 ms


#192.168.2.12 -> NG

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4032ms

Setting for rejecting communications, through use of source IP addresses (range specification)

Make settings to reject communications originated from a specific range of source IP addresses by means of the firewall interface
and to forward communications originated from other source IP addresses.

Presumed case for sample setting

  • To reject communications originated from source IP address “192.168.2.12/30”

  • To enable for traffic which is input to interface “dp0s5”

  • To forward all communications originated from source IP address other than “192.168.2.12/30”

Note

The hosts in the range of “192.168.2.12/30” are those having the following four IP address: “192.168.2.12”, “192.168.2.13”, “192.168.2.14”, and “192.168.2.15”.

Configuration diagram
Fig3

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose source IP address is “192.168.2.12/30” are rejected
3.Setting for accepting packets whose source addresses are other than “192.168.2.12/30”
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 source address '192.168.2.12/30'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
 security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               source {
                                       address 192.168.2.12/30
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
Communications (Ping) forwarded to “192.168.3.3” succeeded, but communications (Ping) originated from source IP address “192.168.2.12/30” failed, and thus it was confirmed that the packet filtering function worked.
and allows to confirm that the packet filtering function worked.
#192.168.2.6 -> OK

test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=2.85 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=0.910 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.27 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=1.70 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=1.41 ms
64 bytes from 192.168.3.3: icmp_seq=6 ttl=63 time=1.05 ms
64 bytes from 192.168.3.3: icmp_seq=7 ttl=63 time=1.49 ms
^C
--- 192.168.3.3 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6009ms
rtt min/avg/max/mdev = 0.910/1.528/2.855/0.596 ms

#192.168.2.12 -> NG

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 6999ms

Setting for accepting communications, through use of source IP addresses (range specification)

To accept only communications originated from a specific range of source IP address; and for communications originated from other source IP addresses, to forward only communications originated from “192.168.2.4/30”
for rejecting communications forwarded to other IP addresses by means of the firewall interface.

Presumed case for sample setting

  • .

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications originated from source IP address other than “192.168.2.4/30”

Note

The hosts in the range of “192.168.2.4/30” are those having the following four IP address: “192.168.2.4”, “192.168.2.5”, “192.168.2.6”, and “192.168.2.7”.

Configuration diagram
Fig4

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose source IP address is “192.168.2.4/30” are accepted
3.Setting for rejecting packets whose source addresses are other than “192.168.2.4/30”
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 source address '192.168.2.4/30'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               source {
                                       address 192.168.2.4/30
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
Communications (Ping) forwarded to “192.168.3.3” succeeded, but communications (Ping) originated from a source IP address which is not “192.168.2.4/30” failed, and thus it was confirmed that the packet filtering function worked.
and allows to confirm that the packet filtering function worked.
#192.168.2.6 -> OK

test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=3.19 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=2.01 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.54 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=1.94 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=1.70 ms
64 bytes from 192.168.3.3: icmp_seq=6 ttl=63 time=1.41 ms
64 bytes from 192.168.3.3: icmp_seq=7 ttl=63 time=1.69 ms
64 bytes from 192.168.3.3: icmp_seq=8 ttl=63 time=1.49 ms
64 bytes from 192.168.3.3: icmp_seq=9 ttl=63 time=1.53 ms
^C
--- 192.168.3.3 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8012ms
rtt min/avg/max/mdev = 1.410/1.837/3.197/0.519 ms


#192.168.2.12 -> NG

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

Setting for rejecting communications, through use of source IP addresses (address group)

Define the address group and set IP addresses to be included in the group.
Make settings to reject communications originated from IP addresses registered in an address group by means of the firewall interface and to accept and forward communications originated from other source IP addresses.
.

Note

The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • To reject communications originated from IP addresses “192.168.2.12” and “192.168.2.13”

  • To set the addresses above as an address group

  • To enable for traffic which is input to interface “dp0s5”

  • To forward all communications originated from IP addresses which do not belong to address groups

Configuration diagram
Fig5

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting “192.168.2.12” and “192.168.2.13” as members of address group g1
3.Setting rule 10 by which packets originated from address group g1 are accepted
4.Setting for rejecting packets originated from IP addresses other than those in address group g1
5.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set resources group address-group g1 address 192.168.2.12
set resources group address-group g1 address 192.168.2.13
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 source address 'g1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
resources {
       group {
               address-group g1 {
                       address 192.168.2.12
                       address 192.168.2.13
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               source {
                                       address g1
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
Communications (Ping) forwarded to “192.168.3.3” succeeded, but communications (Ping) originated from a source IP address which belongs to address group g1 failed, and thus it was confirmed that the packet filtering function worked.
and allows to confirm that the packet filtering function worked.
#192.168.2.6 -> OK

test@ubu01:~$ ping 192.168.3.4
PING 192.168.3.4 (192.168.3.4) 56(84) bytes of data.
64 bytes from 192.168.3.4: icmp_seq=1 ttl=64 time=4.98 ms
64 bytes from 192.168.3.4: icmp_seq=2 ttl=64 time=0.920 ms
64 bytes from 192.168.3.4: icmp_seq=3 ttl=64 time=1.08 ms
64 bytes from 192.168.3.4: icmp_seq=4 ttl=64 time=1.08 ms
64 bytes from 192.168.3.4: icmp_seq=5 ttl=64 time=1.17 ms
64 bytes from 192.168.3.4: icmp_seq=6 ttl=64 time=1.63 ms
64 bytes from 192.168.3.4: icmp_seq=7 ttl=64 time=1.14 ms
^C
--- 192.168.3.4 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6007ms
rtt min/avg/max/mdev = 0.920/1.718/4.980/1.347 ms


#192.168.2.12 -> NG

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 7999ms

Setting for accepting communications, through use of source IP addresses (address group)

Define the address group and set IP addresses to be included in the group.
Make settings to accept communications originated from IP addresses registered in an address group and to reject communications originated from other IP addresses by means of the interface of the firewall.
and to reject communications originated from other IP addresses
by means of the interface of the firewall.

Note

The address group is available as a list having multiple IP addresses registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • To forward communications originated from only IP addresses “192.168.2.6” and “192.168.2.13”

  • To set the addresses above as an address group

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications originated from IP addresses which do not belong to address groups

Configuration diagram
Fig6

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting “192.168.2.6” and “192.168.2.13” as members of address group g1
3.Setting rule 10 by which packets originated from address group g1 are accepted
4.Setting for rejecting packets originated from IP addresses other than those in address group g1
5.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set resources group address-group g1 address 192.168.2.13
set resources group address-group g1 address 192.168.2.6
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 source address 'g1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
resources {
       group {
               address-group g1 {
                       address 192.168.2.13
                       address 192.168.2.6
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               source {
                                       address g1
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
and communications (Ping) originated from “192.168.2.12” not belonging to address group g1 failed
Communications (Ping) originated from the IP address failed, and thus it was confirmed that the packet filtering function worked.
#192.168.2.6 -> OK

itest@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=3.07 ms
64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=1.19 ms
64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.78 ms
64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=1.43 ms
64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=1.78 ms
64 bytes from 192.168.3.3: icmp_seq=6 ttl=63 time=1.31 ms
64 bytes from 192.168.3.3: icmp_seq=7 ttl=63 time=1.56 ms
64 bytes from 192.168.3.3: icmp_seq=8 ttl=63 time=1.54 ms
64 bytes from 192.168.3.3: icmp_seq=9 ttl=63 time=1.48 ms
^C
--- 192.168.3.3 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8013ms
rtt min/avg/max/mdev = 1.194/1.684/3.071/0.524 ms

#192.168.2.12 -> NG

test@ubu03:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7055ms