Setting for Making the Packet Filtering Function Operate in the Stateful Manner

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section describes a case where the packet filtering function is operated in the stateful manner.

What is the stateful firewall function?

Brocade 5600vRouter is able to serve a stateful firewall function through use of the packet filtering function in the stateful manner.
Enabling the stateful function allows to recognize the status of forwarding communications which pass through the interface having the firewall rule specified, therefore the firewall automatically judges about returning communications and makes them pass.
This function makes it unnecessary to set a rule which accepts returning communications.
As the default setting, the packet filtering function works in the stateless manner.

Note

The stateful function can be enabled in the following ways: enabling for the entire firewall; enabling for each rule. In operation-confirmed setting examples, an example of each of the ways is shown.

For Version5.2R4 , the operational specifications of the following option have been changed from Version3.5R6S3 and Version4.2R1S1: option (global-state-policy) which enables the setting which makes the packet filtering function work in the stateful manner for the entire firewall. For the changes, see ‘Brocade Technical Bulletin (Version5.2R4)’_ or ‘Operation-confirmed setting examples’_.

Enabling the Stateful Function for All Packet Filtering Rules

This section describes a setting example for the case where the stateful function has been enabled for all packet filtering rules.

Presumed case for sample setting

  • To accept and forward FTP communications forwarded to “192.168.3.3”

  • To enable for traffic which is input to interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To enable the stateful function for all packet filtering rules

Configuration diagram
Fig1

Setting flow in a presumed case

  1. Enabling the stateful firewall function for TCP communications

  2. Packet filtering setting name test_rule

  3. Setting rule 10 by which packets whose destination has a destination IP address “192.168.3.3” and TCP port number 21 are accepted

  4. Setting for rejecting packets whose destinations are other than one having an IP address “192.168.3.3” and port number 21

  5. Applying in the input direction at interface “dp0s5”

  6. Name of a setting for rejecting all communications all_drop

  7. Applying in the input direction at interface “dp0s6”

  8. ( Version5.2R4 only) Name of a setting for accepting all communications all_accept

  9. ( Version5.2R4 only) Setting rule 10 by which all packets are accepted

  10. ( Version5.2R4 only) Enabling the stateful firewall function discretely for rule 10

  11. ( Version5.2R4 only) Applying in the output direction at interface “dp0s6”

Command to be entered with CLI

For Version4.2R1S1

set security firewall global-state-policy 'tcp'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.3.3'
set security firewall name test_rule rule 10 destination port '21'
set security firewall name test_rule rule 10 protocol 'tcp'
set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name all_drop default-action 'drop'
set interfaces dataplane dp0s6 firewall in 'all_drop'

For Version5.2R4

set security firewall global-state-policy 'tcp'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.3.3'
set security firewall name test_rule rule 10 destination port '21'
set security firewall name test_rule rule 10 protocol 'tcp'
set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name all_drop default-action 'drop'
set interfaces dataplane dp0s6 firewall in 'all_drop'
set security firewall name all_accept default-action 'accept'
set security firewall name all_accept rule 10 action 'accept'
set security firewall name all_accept rule 10 state 'enable'
set interfaces dataplane dp0s6 firewall out 'all_accept'
The configuration after completion of appropriate settings is as follows.

For Version4.2R1S1

interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
                firewall {
                        in test_rule
                }
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
                firewall {
                        in all_drop
                }
        }
}
security {
        firewall {
                global-state-policy {
                        tcp
                }
                name all_drop {
                        default-action drop
                }
                name test_rule {
                        default-action drop
                        rule 10 {
                                action accept
                                destination {
                                        address 192.168.3.3
                                        port 21
                                }
                                protocol tcp
                        }
                }
        }
}

For Version5.2R4

interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
                firewall {
                        in test_rule
                }
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
                firewall {
                        in all_drop
                        out all_accept  |fwversion5|
                }
        }
}
security {
        firewall {
                global-state-policy {
                        tcp
                }
                name all_accept {
                        default-action accept
                        rule 10 {
                                action accept
                                state enable
                        }
                }
                name all_drop {
                        default-action drop
                }
                name test_rule {
                        default-action drop
                        rule 10 {
                                action accept
                                destination {
                                        address 192.168.3.3
                                        port 21
                                }
                                protocol tcp
                        }
                }
        }
}

Operation check result

The verification result log below allows to recognize that FTP communications forwarded from server “192.168.2.6” in the configuration diagram to a destination having an IP address “192.168.3.3” and port number 21 were possible.
Whereas interface “dp0s6” rejects all input communications, it was confirmed, through success of FTP authentication and data transfer, that the stateful function worked.
.
#Ping to 192.168.3.3  -> NG

test@ubu01:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5038ms

#FTP to 192.168.3.3 -> OK

test@ubu01:~$ ftp 192.168.3.3
Connected to 192.168.3.3.
220 (vsFTPd 3.0.3)
Name (192.168.3.3:test): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Sep 10  2015 aaa
-rw-r--r--    1 1000     1000         8980 Aug 31  2015 examples.desktop
-rw-rw-r--    1 1000     1000          612 Dec 02  2015 index.html
-rw-rw-r--    1 1000     1000        31272 Jun 13 10:48 ping.txt
drwxrwxr-x    2 1000     1000         4096 May 30 01:46 tmp
drwxr-x--x    8 1000     1000         4096 Jul 26 06:29 vsftpd-3.0.3
226 Directory send OK.
ftp>
ftp>
ftp> get index.html
local: index.html remote: index.html
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (4.4216 MB/s)
ftp> passive
Passive mode on.
ftp>
ftp> get index.html
local: index.html remote: index.html
227 Entering Passive Mode (192,168,3,3,104,143).
150 Opening BINARY mode data connection for index.html (612 bytes).
226 Transfer complete.
612 bytes received in 0.00 secs (6.0797 MB/s)

Enabling the Stateful Function for Discrete Packet Filtering Rules

This section describes a setting example for the case where the stateful function has been discretely enabled for each packet filtering rule.

Presumed case for sample setting

  • To accept and forward only ICMP communications (Ping) forwarded to “192.168.3.3”

  • To enable for traffic which is input to interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To enable the stateful function, only for needed packet filtering rules

Configuration diagram
Fig2

Setting flow in a presumed case

  1. Packet filtering setting name test_rule

  2. Setting rule 10 by which ICMP packets are accepted for a destination “192.168.3.3”

  3. Enabling the stateful firewall function discretely for rule 10

  4. Setting for rejecting other packets whose destination address is “192.168.3.3”.

  5. Applying in the input direction at interface “dp0s5”

  6. Name of a setting for rejecting all communications all_drop

  7. Applying in the input direction at interface “dp0s6”

  8. Name of a setting for accepting all communications all_accept

  9. Setting rule 10 by which all packets are accepted

  10. Enabling the stateful firewall function discretely for rule 10

  11. Applying in the output direction at interface “dp0s6”

Note

Points to note when discretely applying the stateful function to each packet filtering rule

Communications which establish the first connection must meet a packet filtering rule having the stateful function applied, at each interface and pass through the interface. In the case presumed this time, communications are input to dp0s5 and output from dp0s6, and thus the packet filtering rule has the stateful function enabled, at each interface.

Command to be entered with CLI

set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.3.3'
set security firewall name test_rule rule 10 protocol 'icmp'
set security firewall name test_rule rule 10 state 'enable'
set security firewall name all_drop default-action 'drop'
set security firewall name all_accept default-action 'accept'
set security firewall name all_accept rule 10 action 'accept'
set security firewall name all_accept rule 10 state 'enable'
set interface dataplane dp0s5 firewall in 'test_rule'
set interface dataplane dp0s6 firewall in 'all_drop'
set interface dataplane dp0s6 firewall out 'all_accept'
The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in all_drop
                       out all_accept
               }
       }
}
security {
       firewall {
               name all_accept {
                       default-action accept
                       rule 10 {
                               action accept
                               state enable
                       }
               name all_drop {
                       default-action drop
               }
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.3.3
                               }
                               protocol icmp
                               state enable
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) forwarded from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded.
Whereas interface “dp0s6” rejects all input communications, it was confirmed, through the following, that the discretely-set stateful function worked: the firewall judged about returning communications (Ping) and made them pass.
.
#Ping to 192.168.3.3 -> OK

    test@ubu01:~$ ping 192.168.3.3
    PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
    64 bytes from 192.168.3.3: icmp_seq=1 ttl=63 time=3.59 ms
    64 bytes from 192.168.3.3: icmp_seq=2 ttl=63 time=1.46 ms
    64 bytes from 192.168.3.3: icmp_seq=3 ttl=63 time=1.45 ms
    64 bytes from 192.168.3.3: icmp_seq=4 ttl=63 time=1.64 ms
    64 bytes from 192.168.3.3: icmp_seq=5 ttl=63 time=1.59 ms
    ^C
    --- 192.168.3.3 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4005ms
    rtt min/avg/max/mdev = 1.455/1.948/3.591/0.825 ms

#SSH to 192.168.3.3 -> NG

    test@ubu01:~$ ssh -l user01 192.168.3.3
    ^C