10.2.3.3. Setting of a service group

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1

What is a service group?

As one of the rules which are written for setting packet filtering with the firewall function, it is possible to specify whether to allow communications with a registered list of IP addresses.
It is possible to specify whether to allow communications regarding a registered list (group).
This list is referred to as a service group.
It is possible to specify whether to allow communications regarding a registered list (group).

Service group type

Description

Port group

This group uses port numbers. When Configuration is enabled separately, specification of TCP/UDP is needed.

ICMP group

This group uses ICMP contents and type values. When type values are used, grouping with more detail code values is also possible.

Note

For the setting with a port group, also see the operation-confirmed setting examples (packet filtering setting).

Setting for grouping arbitrary multiple port numbers for filtering

For setting of a service group, it is possible to select arbitrary multiple port numbers for grouping.
On settings, this group is referred to as a port group.
A created port group can be used for a firewall filtering rule.

Presumed case for sample setting

  • to forward only communications which use destination port numbers 1080 to 1081

  • To set the port numbers above as a port group

  • To enable for traffic which is input to interface “dp0s5”

  • To reject all communications other than those which use destination port numbers 1080 to 1081

Configuration diagram
Fig18

Setting flow in a presumed case

1.Setting port numbers 1080 and 1081 into port group p1
2.Packet filtering setting name test_rule
3.Setting rule 10 by which packets of port group p1 are accepted
4.Setting for rejecting packets which use destination port numbers other than port group p1
5.Applying in the input direction at the dp0s5 interface

Command to be entered with CLI

set resources group port-group p1 port '1080'
set resources group port-group p1 port '1081'
set security firewall name test_rule default-action 'drop'
set security firewall name test_rule rule 10 action 'accept'
set security firewall name test_rule rule 10 destination port 'p1'
set security firewall name test_rule rule 10 protocol 'tcp'
set interfaces dataplane dp0s5 firewall in 'test_rule'
The configuration after completion of appropriate settings is as follows.
interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
                firewall {
                        in test_rule
                }
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
        }
 }
 resources {
        group {
                port-group p1 {
                        port 1080
                        port 1081
                }
        }
 }
 security {
        firewall {
                name test_rule {
                        default-action drop
                        rule 10 {
                                action accept
                                destination {
                                        port p1
                                }
                                protocol tcp
                        }
                }
        }
 }

Operation check result

The verification result log below allows to recognize that communications forwarded from server “192.168.2.12” in the configuration diagram to the destination having an IP address “192.168.3.3” and port number 80 succeeded
Communications forwarded to the destination having an IP address “192.168.3.3” and port numbers 1080/1081 succeeded,
but communications forwarded from server “192.168.2.12” to the destination having an IP address “192.168.3.3” and port number 80 failed, and thus it was confirmed that the packet filtering function worked.
and thus it was confirmed that the packet filtering function worked.
#port 80 -> NG

test@ubu01:~$ wget -O - http://192.168.3.3:1080
--2016-07-29 16:35:51--  http://192.168.3.3/
Connecting to 192.168.3.3:80

#port 1080 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1080
--2016-07-29 16:35:56--  http://192.168.3.3:1080/
Connecting to 192.168.3.3:1080 ... Connected
200 OK
Length: 616 [text/html]
Save `STDOUT'

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-07-29 16:35:56 (175 MB/s) - stdout  [616/616]

#port 1081 -> OK

test@ubu01:~$ wget -O - http://192.168.3.3:1081
--2016-07-29 16:36:02--  http://192.168.3.3:1081/
Connecting to 192.168.3.3:1081 ... Connected
200 OK
Length: 616 [text/html]
Save `STDOUT'

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-07-29 16:36:02 (171 MB/s) - stdout  [616/616]

Setting for grouping arbitrary ICMP types for filtering

For setting of a service group, it is possible to select and set ** ICMP type ** and ** type value (code value) ** of ICMP.
.
This is called an ICMP group.
It is also possible to use a created ICMP group for a firewall filtering rule.

Note

Grouping cannot be performed only with ICMP code values. When a code value is to be used, a type value is also required for grouping together.

The settable ICMP information can be identified with the following command.
set resources group icmp-group icmp-g1 name ?

Presumed case for sample setting

  • To set a rule which accepts only echo and echo-reply of ICMP

  • To set with a service group (ICMP group)

  • To make settings for rejecting all other communications

  • To apply to interface “dp0s6”

Configuration diagram
ServiceGroup ICMPグループ設定

Setting flow in a presumed case

1.Setting ICMP echo-request and ICMP echo-reply as ICMP group icmp-g1
2.Packet filtering setting name test_rule
3.Setting rule 10 by which packets regarding ICMP group icmp-g1 are accepted
4.Setting for rejecting communications other than ICMP group icmp-g1
5.Applying in the input direction at the dp0s6 interface
6.Applying in the output direction at interface “dp0s6”

Command to be entered with CLI

set resources group icmp-group icmp-g1 name echo-reply
set resources group icmp-group icmp-g1 name echo-request
set security firewall name test_rule default-action drop
set security firewall name test_rule rule 10 icmp group icmp-g1
set security firewall name test_rule rule 10 action accept
set interface dataplane dp0s6 firewall in 'test_rule'
set interface dataplane dp0s6 firewall out 'test_rule'

Note

To use an ICMP type to specify, create a group with the command below instead of the command above.

set resources group icmp-group icmp-g1 type 0
set resources group icmp-group icmp-g1 type 8
The configuration after completion of appropriate settings is as follows.
interfaces {
        dataplane dp0s4 {
                address 192.168.1.50/24
        }
        dataplane dp0s5 {
                address 192.168.2.50/24
        }
        dataplane dp0s6 {
                address 192.168.3.5/24
                firewall {
                        in test_rule
                        out test_rule
                }
        }
}
resources {
        group {
                icmp-group icmp-g1 {
                        name echo-reply
                        name echo-request
                }
        }
}
security {
        firewall {
                name test_rule
                        default-action drop
                        rule 10 {
                                action accept
                                icmp {
                                        group icmp-g1
                                }
                        }
                }
        }
 }

Operation check result

The verification result log below allows to recognize
that communications (Ping: ICMP echo-request, ICMP echo-reply) forwarded from server “192.168.3.3” in the configuration diagram to “192.168.2.12” succeeded
and other communications failed due to rejection
and allows to confirm that the filtering function with the ICMP group worked.
#From 192.168.3.3 -> OK

 test@web1:~$ ping 192.168.2.12
 PING 192.168.2.12 (192.168.2.12) 56(84) bytes of data.
 64 bytes from 192.168.2.12: icmp_seq=1 ttl=63 time=3.61 ms
 64 bytes from 192.168.2.12: icmp_seq=2 ttl=63 time=1.57 ms
 64 bytes from 192.168.2.12: icmp_seq=3 ttl=63 time=1.49 ms
 64 bytes from 192.168.2.12: icmp_seq=4 ttl=63 time=1.55 ms
 64 bytes from 192.168.2.12: icmp_seq=5 ttl=63 time=1.64 ms
 ^C
 --- 192.168.2.12 ping statistics ---
 5 packets transmitted, 5 received, 0% packet loss, time 4006ms
 rtt min/avg/max/mdev = 1.492/1.975/3.617/0.822 ms

#Traceroute from 192.168.3.3 -> NG

test@web1:~$ ssh -l user 192.168.2.12
^C