Setting (acceptance/ rejection) for source IP and services (port number/ service group)

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes the functions which accept or reject IP communications which pass through the firewall.

Flow of the packet filtering settings

1.Setting the name of the packet filtering settings
2.Specifying a source IP address, port number (etc.) and setting acceptance and rejection rules for them
3.Setting acceptance and rejection rules for communications regarding IP addresses which do not apply to the rules made in Step 2
4.Specifying the filtering direction of the interface to which the packet filtering settings made in Step 1 are to be applied

Setting rejection in terms of a source port number

Make settings to reject communications forwarded to a specific source IP address and port number by means of the firewall interface and to forward communications forwarded to other destinations.
to forward communications forwarded to other destinations.

Presumed case for sample setting

  • To reject communications originated from a host having an IP address “192.168.2.13” and port number 80 (HTTP return packet)

  • To enable for traffic which is input to interface “dp0s5”

  • To accept and forward all communications originated from hosts not having “192.168.2.13” and port number 80

Configuration diagram
Fig7

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose source has an IP address “192.168.2.13” and port number 80 are rejected
3.Setting for accepting packets whose sources are other than one having an IP address “192.168.2.13” and port number 80
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 10 source address '192.168.2.13'
set security firewall name test_rule rule 10 source port '80'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               protocol tcp
                               source {
                                       address 192.168.2.13
                                       port 80
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Communications (Ping) forwarded to the destination having an IP address “192.168.2.12” and port number 80 succeeded,
but communications forwarded from server “192.168.3.3” to the destination having an IP address “192.168.2.13” and port number 80 failed,
and thus it was confirmed that the packet filtering function worked.
    #192.168.2.12 -> OK

    test@web1:~$ wget http://192.168.2.12
    --2016-07-21 19:18:10--  http://192.168.2.12/
    Connecting to 192.168.2.12:80 ... Connected.
200 OK
    Length: 612 [text/html]
    Save `index.html.6'

    100%[=========================================================================================================================================================================>] 612         --.-K/s   Time 0s

    2016-07-21 19:18:10 (144 MB/s) - `index.html.6'  [612/612]


    #192.168.2.13 -> NG

    test@web1:~$ wget http://192.168.2.13
    --2016-07-21 19:18:13--  http://192.168.2.13/
    Connecting to 192.168.2.13:80 ^C

Setting acceptance in terms of a source port number

To accept only communications originated from a host having a specific source IP address and port number; and for other communications, to forward only communications originated from a host having an IP address “192.168.2.13” and port number 80 (HTTP return packet)
by means of the interface of the firewall.

Presumed case for sample setting

  • .

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications forwarded to destinations other than one having an IP address “192.168.2.13” and port number 80

Configuration diagram
Fig8

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets whose source has an IP address “192.168.2.13” and port number 80 are accepted
3.Setting for rejecting packets whose sources are other than one having an IP address “192.168.2.13” and port number 80
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 10 source address '192.168.2.13'
set security firewall name test_rule rule 10 source port '80'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               protocol tcp
                               source {
                                       address 192.168.2.13
                                       port 80
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize
Communications forwarded to the destination having an IP address “192.168.2.13” and port number 80 succeeded,
but communications forwarded from server “192.168.3.3” to the destination having an IP address “192.168.2.12” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#192.168.2.12 -> NG

test@web1:~$ wget http://192.168.2.12
--2016-07-21 17:53:12--  http://192.168.2.12/
Connecting to 192.168.2.12:80 ... ^C


#192.168.2.13 -> OK

test@web1:~$ wget http://192.168.2.13
--2016-07-21 17:53:07--  http://192.168.2.13/
Connecting to 192.168.2.13:80 ... Connected
200 OK
Length: 612 [text/html]
`index.html.4'

100%[=========================================================================================================================================================================>] 612         --.-K/s   Time 0s

2016-07-21 17:53:07 (140 MB/s) - `index.html.4' Saved [612/612]

Setting rejection in terms of a source port number (range specification)

To reject only communications which use specific source port numbers (range specification) by means of the firewall interface and to forward other communications; for other communications, to reject only communications originated from those which use source port numbers 1080 to 1081
and to forward other communications.

Presumed case for sample setting

  • .

  • To enable for traffic which is input to interface “dp0s6”

  • To forward all communications other than those which use source port numbers 1080 to 1081

Configuration diagram
Fig9

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets that use source port numbers 1080 to 1081 are rejected
3.Setting for accepting packets which use source port numbers other than 1080 to 1081
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 10 source port '1080-1081'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               protocol tcp
                               source {
                                       port 1080-1081
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port number 80 succeeded, but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.2.13” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and allows to confirm that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-07-29 16:12:41--  http://192.168.3.3/
Connecting to 192.168.3.3:80 ... Connected
200 OK
Length: 616 [text/html]
Save `STDOUT'

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-07-29 16:12:41 (103 MB/s) - stdout saved [616/616]


#port 1080 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-07-29 16:12:46--  http://192.168.3.3:1080/
Connecting to 192.168.3.3:1080 ... ^C

#port 1081 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-07-29 16:13:06--  http://192.168.3.3:1081/
Connecting to 192.168.3.3:1081 ... ^C

Setting acceptance in terms of a source port number (range specification)

To accept only communications which use specific source port numbers (range specification); and for other communications, to forward only communications which use source port numbers 1080 to 1081
by means of the interface of the firewall.

Presumed case for sample setting

  • .

  • To enable for traffic which is input to interface “dp0s6”

  • To reject all communications other than those which use source port numbers 1080 to 1081

Configuration diagram
Fig10

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting rule 10 by which packets that use source port numbers 1080 to 1081 are accepted
3.Setting for rejecting packets which use destination port numbers other than 1080 to 1081
4.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 10 source port '1080-1081'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               protocol tcp
                               source {
                                       port 1080-1081
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port numbers 1080/1081 succeeded, but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.2.13” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.3.3” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80向け通信 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-07-29 15:50:06--  http://192.168.3.3/
192.168.3.3:80 に接続しています... ^C
test@ubu01:~$

#port 1080向け通信 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-07-29 15:52:26--  http://192.168.3.3:1080/
192.168.3.3:1080 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 616 [text/html]
`STDOUT' に保存中

100%[========================================================================================================================================================================================================>] 616         --.-K/s   時間 0s

2016-07-29 15:52:26 (176 MB/s) - stdout へ出力完了 [616/616]


#port 1081向け通信 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-07-29 15:52:31--  http://192.168.3.3:1081/
192.168.3.3:1081 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 616 [text/html]
`STDOUT' に保存中

100%[========================================================================================================================================================================================================>] 616         --.-K/s   時間 0s

2016-07-29 15:52:31 (146 MB/s) - stdout へ出力完了 [616/616]

Setting rejection in terms of a source port number (service group)

Define the service group and set port numbers to be included in the group.
Make settings to reject communications which use port numbers registered in the service group as source port numbers and to forward communications which use other port numbers as sources.
by means of the firewall interface and to forward communications which use other port numbers as destinations
.

Note

The service group (port group setting) is available as a list having multiple port numbers registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • .

  • To set the port numbers above as service group members

  • To enable for traffic which is input to interface “dp0s6”

  • To forward all communications other than those which use source port numbers 1080 to 1081

Configuration diagram
Fig9

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting port numbers 1080 and 1081 into service group p1.
2.Setting rule 10 by which packets of service group p1 are rejected
3.Setting for accepting packets which use destination port numbers other than service group p1
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set resources group port-group p1 port '1080'
set resources group port-group p1 port '1081'
set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 10 source port 'p1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
                firewall {
                        in test_rule
                }
        }
}
resources {
        group {
                port-group p1 {
                        port 1080
                        port 1081
                }
        }
}
security {
        firewall {
                name test_rule {
                        default-action accept
                        rule 10 {
                                action drop
                                protocol tcp
                                source {
                                        port p1
                                }
                        }
                }
        }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port number 80 succeeded, but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.2.13” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and allows to confirm that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80向け通信 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-07-29 16:21:58--  http://192.168.3.3/
192.168.3.3:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 616 [text/html]
`STDOUT' に保存中

100%[========================================================================================================================================================================================================>] 616         --.-K/s   時間 0s

2016-07-29 16:21:58 (168 MB/s) - stdout へ出力完了 [616/616]


#port 1080向け通信 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-07-29 16:22:03--  http://192.168.3.3:1080/
192.168.3.3:1080 に接続しています... ^C

#port 1081向け通信 -> NG

test@ubu01:~$
test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-07-29 16:22:08--  http://192.168.3.3:1081/
192.168.3.3:1081 に接続しています... ^C

Setting acceptance in terms of a source port number (service group)

Define the service group and set port numbers to be included in the group.
Make settings to forward communications which use port numbers registered in the service group as source port numbers and to reject communications which use other port numbers as sources.
and to reject communications which use other port numbers as destinations.
by means of the interface of the firewall.

Note

The service group (port group setting) is available as a list having multiple port numbers registered. Grouping allows to set policies to the list.

Presumed case for sample setting

  • to forward only communications which use destination port numbers 1080 to 1081

  • To set the port numbers above as service group members

  • To enable for traffic which is input to interface “dp0s6”

  • To reject all communications other than those which use destination port numbers 1080 to 1081

Configuration diagram
Fig10

Setting flow in a presumed case

1.Packet filtering setting name test_rule
2.Setting port numbers 1080 and 1081 into service group p1.
2.Setting rule 10 by which packets of service group p1 are accepted
3.Setting for rejecting packets which use destination port numbers other than service group p1
4.Applying in the input direction at the dp0s6 interface

Command to be entered with CLI

set interfaces dataplane dp0s6 firewall in 'test_rule'
set resources group port-group p1 port '1080'
set resources group port-group p1 port '1081'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 10 source port 'p1'

Note

To apply the filtering setting in the output direction, based on the same policy as the presumed case, specify in the form of “out test_rule” through the dp0s6 interface.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in test_rule
               }
       }
}
resources {
       group {
               port-group p1 {
                       port 1080
                       port 1081
               }
       }
}
security {
       firewall {
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               protocol tcp
                               source {
                                       port p1
                               }
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port numbers 1080/1081 succeeded, but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.2.13” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.3.3” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80向け通信 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-07-29 16:35:51--  http://192.168.3.3/
192.168.3.3:80 に接続しています... ^C

#port 1080向け通信 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-07-29 16:35:56--  http://192.168.3.3:1080/
192.168.3.3:1080 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 616 [text/html]
`STDOUT' に保存中

100%[========================================================================================================================================================================================================>] 616         --.-K/s   時間 0s

2016-07-29 16:35:56 (175 MB/s) - stdout へ出力完了 [616/616]


#port 1081向け通信 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-07-29 16:36:02--  http://192.168.3.3:1081/
192.168.3.3:1081 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 616 [text/html]
`STDOUT' に保存中

100%[========================================================================================================================================================================================================>] 616         --.-K/s   時間 0s

2016-07-29 16:36:02 (171 MB/s) - stdout へ出力完了 [616/616]