Filtering setting for traffic from zone “z2” to another zone “z3”

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1
This section descries the functions needed to set Zone-Base Firewall.

What is Zone-Base Firewall?

For the firewall, an area called a “zone” can be created logically.
By setting a policy needed for transfer of communications from one zone to another zone,
the same policy can be applied to a group (e.g., network, terminal group) which belongs to the same zone, without detail design and settings for each interface.
.

Note

After zone creation, the initial setting rejects communications from other zones unless explicitly accepted. In operation-confirmed setting examples below, explicit settings for acceptance/rejection are made.

Presumed case for sample setting

  • To set two zones to the firewall and set a policy to communications between zones

  • To link a single interface with each zone

  • To reject communications regarding port numbers 80 and 1080, in terms of traffic from the “192.168.2.0” zone to the “192.168.3.0” zone

  • To forward all traffics from the “192.168.3.0” zone to the “192.168.2.0” zone

Configuration diagram
zonebasefw Fig3

Setting flow in a presumed case

1.Creating a policy for traffic from z2 to z3 beforehand Filtering setting name test_rule
2.Setting rule 10 by which packets whose destination port number is 80 are rejected
3.Setting rule 11 by which packets whose destination port number is 1080 are rejected
4.Setting for accepting packets whose destination port numbers are other than the one above
5.Creating a policy for traffic from z3 to z2 beforehand Filtering setting name all_accept
6.Setting for accepting all communications, in terms of all_accept rule
7.Creating a zone name z2
8.Assigning interface dp0s5 to z2
9.Setting test_rule to the policy for traffic from z2 to z3
10.Creating a zone name z3
11.Assigning interface dp0s6 to z3
12.Setting all_accept to the policy for traffic from z3 to z2

Note

For the interface linked with a zone to use the Zone-Base Firewall function, direct setting of Firewall policy becomes disabled .

Command to be entered with CLI

set security firewall name test_rule default-action 'accept'
set security firewall name test_rule rule 10 action 'drop'
set security firewall name test_rule rule 10 destination port '80'
set security firewall name test_rule rule 10 protocol 'tcp'
set security firewall name test_rule rule 11 action 'drop'
set security firewall name test_rule rule 11 destination port '1080'
set security firewall name test_rule rule 11 protocol 'tcp'
set security firewall name all_accept default-action 'accept'
set security zone-policy zone z2 interface 'dp0s5'
set security zone-policy zone z2 to z3 firewall 'test_rule'
set security zone-policy zone z3 interface 'dp0s6'
set security zone-policy zone z3 to z2 firewall 'all_accept'

Note

To apply (commit) while the set configuration is in use, the following conditions must be satisfied: zones have been created and an inter-zone policy has been set. For convenience of the description here, all_accept setting for transfer of all communications is put.

The configuration after completion of appropriate settings is as follows.
interfaces {
       dataplane dp0s4 {
               address 192.168.1.50/24
       }
       dataplane dp0s5 {
               address 192.168.2.50/24
       }
       dataplane dp0s6 {
               address 192.168.3.5/24
       }
}
security {
       firewall {
               name all_accept {
                       default-action accept
                       }
               }
               name test_rule {
                       default-action accept
                       rule 10 {
                               action drop
                               destination {
                                       port 80
                               }
                               protocol tcp
                       }
                       rule 11 {
                               action drop
                               destination {
                                       port 1080
                               }
                               protocol tcp
                       }
               }
       }
       zone-policy {
               zone z2 {
                       interface dp0s5
                       to z3 {
                               firewall test_rule
                       }
               }
               zone z3 {
                       interface dp0s6
                       to z2 {
                               firewall all_accept
                       }
               }

       }
}

Operation check result

The verification result log below allows to recognize that communications (Ping) originated from server “192.168.2.6” in the configuration diagram to “192.168.3.3” succeeded
Communications forwarded to 192.168.3.3/port number 80 and 192.168.3.3/port number 1080 failed,
but communications forwarded to 192.168.3.3/port number 1081 succeeded,
and thus it was confirmed that the Zone-Base Firewall function worked.
#port80

test@ubu01:~$ wget -O - http://192.168.3.3/ > /dev/null
--2016-08-01 15:50:08--  http://192.168.3.3/
Connecting to 192.168.3.3:80

#port1080

test@ubu01:~$ wget -O - http://192.168.3.3:1080/ > /dev/null
--2016-08-01 15:50:16--  http://192.168.3.3:1080/
Connecting to 192.168.3.3:1080 ... ^C

#port1081

test@ubu01:~$ wget -O - http://192.168.3.3:1081/ > /dev/null
--2016-08-01 15:50:21--  http://192.168.3.3:1081/
Connecting to 192.168.3.3:1081
200 OK
Lenght: 616 [text/html]
`STDOUT' saved

100%[========================================================================================================================================================================================================>] 616         --.-K/s   Time 0s

2016-08-01 15:50:21 (168 MB/s) - stdout saved [616/616]