Setting Change for the Case Where the Stateful Function Has Been Enabled for All Packet Filtering Rules

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1

This section describes a setting example for transition to Version5.2R4 in the case where, on Version3.5R6S3 or Version4.2R1S1, the stateful function has already been enabled for all packet filtering rules, through the global-state-policy option.

Concerned option

set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
set security firewall global-state-policy 'icmp'

Note

  • For changes of the option (global-state-policy) which enables the setting which makes the packet filtering function work in the stateful manner, for the entire firewall, see ‘Brocade Technical Bulletin’_.

Outline of Operations on Version4.2R1S1 and Earlier

This section outlines operations for the case where the stateful function has been enabled for all packet filtering rules on Version3.5R6S3 or Version4.2R1S1 .

Outline of operations

  • Enabling the stateful function for all packet filtering rules

  • Creating and applying a filtering rule which allows only specific packets to pass in terms of traffic which is input to interface “dp0s5”

  • Creating and applying a filtering rule which rejects all traffics which are input to interface “dp0s4”

  • For packets which are accepted based on the input filter rule of interface “dp0s5” and which pass through interface “dp0s4”, their returning packets are dynamically accepted irrespective of the input rule of interface “dp0s4”. This is because information is registered in the session-table, for each interface passed and also an implicit acceptance filter exists.

Configuration diagram

Fig1

Outline of Operations on Version5.2R4

This section outlines operations for the case where the stateful function has been enabled for all packet filtering rules on Version5.2R4.

Outline of operations

  • Enabling the stateful function for all packet filtering rules

  • Creating and applying a filtering rule which allows only specific packets to pass in terms of traffic which is input to interface “dp0s5”

  • Creating and applying a filtering rule which accepts traffic which is output from interface “dp0s4”

  • Creating and applying a filtering rule which rejects all traffics which are input to interface “dp0s4”

  • For packets which are accepted based on the input filter rule of interface “dp0s5” and output rule of interface “dp0s4” and which pass through the firewall, their returning packets are dynamically accepted irrespective of the input rule of interface “dp0s4”. This is because information is registered in the session-table for each interface passed.

Configuration diagram

Fig2

Setting Change Example

This section shows an example of setting changes for transition to Version5.2R4.

Presumed case for sample setting

  • To accept and forward FTP communications forwarded to “192.168.3.3”

  • To enable for traffic which is input to interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To reject other communications which are input to interface “dp0s5”

  • To enable the stateful function for all packet filtering rules

Configuration diagram

Fig3

** Configuration to be input at CLI before change of the setting

set security firewall global-state-policy 'tcp'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination address '192.168.3.3'
set security firewall name test_rule rule 10 destination port '21'
set security firewall name test_rule rule 10 protocol 'tcp'
set interfaces dataplane dp0s5 firewall in 'test_rule'
set security firewall name all_drop default-action 'drop'
set interfaces dataplane dp0s6 firewall in 'all_drop'

Setting change flow in a presumed case

  1. Name of a setting for accepting all communications all_accept

  2. Setting rule 10 by which all packets are accepted

  3. Enabling the stateful firewall function discretely for rule 10

  4. Applying in the output direction at interface “dp0s6”

Note

Restrictions for change of the setting

  • When NAT is in use, check if the address of the NAT conversion target has been specified in the rule. If specified, correction to the post-change address is needed at the output side. Therefore, a rule for the output side needs to be created separately, so that it is applied to the output side as a rule after NAT conversion.

  • In the case where a rule not having a protocol specified exists, the protocol set with global-state-policy needs to be specified on that rule or “state enable” needs to be set. In the case where a rule not having the setting made, communications corresponding to that rule are not possible even if “accept” has been set.

  • When a rule which accepts all rules at the output side is created, protocol (icmp,tcp,udp) specified with global-state-policy regarding a discrete rule needs to be set or an acceptance rule needs to be created with state enable, rather than setting only with “accept” in terms of default-action. A setting example is described below.

  • In the case where a rule which accepts all rules is applied to the output side, communication practically unneeded (VRRP advertisement, etc.) may be put on the session-table and session-log.

Command to be entered with CLI

set security firewall name all_accept default-action 'accept'
set security firewall name all_accept rule 10 action 'accept'
set security firewall name all_accept rule 10 state 'enable'
set interfaces dataplane dp0s6 firewall out 'all_accept'

The configuration after completion of appropriate settings is as follows.

interfaces {
       dataplane dp0s4 {
               address 192.168.1.11/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
               firewall {
                       in test_rule
               }
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
               firewall {
                       in all_drop
                       out all_accept
               }
       }
       dataplane dp0s7
       loopback lo
}
security {
       firewall {
               global-state-policy {
                       tcp
               }
               name all_accept {
                       default-action accept
                       rule 10 {
                               action accept
                               state enable
                       }
               }
               name all_drop {
                       default-action drop
               }
               name test_rule {
                       default-action drop
                       rule 10 {
                               action accept
                               destination {
                                       address 192.168.3.3
                                       port 21
                               }
                               protocol tcp
                       }
               }
       }
}

Operation check result

The verification result log below allows to recognize that FTP communications forwarded from server “192.168.2.6” in the configuration diagram to a destination having an IP address “192.168.3.3” and port number 21 were possible.

Whereas interface “dp0s6” rejects all input communications, it was confirmed, through success of FTP authentication and data transfer, that the stateful function worked.

#192.168.3.3 via ping -> NG

ubuntu@ubuntu2:~$ ping 192.168.3.3
PING 192.168.3.3 (192.168.3.3) 56(84) bytes of data.
^C
--- 192.168.3.3 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5039ms


#192.168.3.3 via FTP -> OK

ubuntu@ubuntu2:~$ ftp 192.168.3.3
Connected to 192.168.3.3.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:192.168.3.3]
Name (192.168.3.3:ubuntu):
331 Password required for ubuntu
Password:
230 User ubuntu logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,3,3,174,193).
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 ubuntu   ubuntu         13 May  9 06:10 index.html
drwxrwxr-x   2 ubuntu   ubuntu       4096 May  9 06:09 tool
226 Transfer complete
ftp> bin
200 Type set to I
ftp> get index.html
local: index.html remote: index.html
200 PORT command successful
150 Opening BINARY mode data connection for index.html (13 bytes)
226 Transfer complete
13 bytes received in 0.00 secs (38.2 kB/s)
ftp>
ftp> passive
Passive mode on.
ftp>
ftp>
ftp> get index.html
local: index.html remote: index.html
227 Entering Passive Mode (192,168,3,3,143,136).
150 Opening BINARY mode data connection for index.html (13 bytes)
226 Transfer complete
13 bytes received in 0.00 secs (81.9 kB/s)