Configuration Guide5991-2119April 2005
61195880L1-29.1B Printed in the USA 1
IP Firewall
Packet Filtering using Access Control Policies and Lists
This Configuration Guide is designed to provide you with a basic understanding of the concepts behind configuring your ProCurve Secure Router Operating System (SROS) product for IP firewall protection. For detailed information regarding specific command syntax, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD.
This guide consists of the following sections:• Understanding IP Firewall Protection on page 2• Configuring Your Secure Router on page 8• Verifying Your Configuration Using Show Commands on page 17• Managing Event Messages on page 19
Understanding IP Firewall Protection IP Firewall Configuration Guide
2 5991-2119
Understanding IP Firewall Protection
Use the ip firewall command to enable SROS security features including access control policies (ACPs) and access control lists (ACLs), network address translation (NAT), and the stateful inspection firewall. Use the no form of this command to disable the security functionality.
Refer to the following sections for more information on the functionality enabled by this command:• Firewall processing for all interfaces (refer to Firewall Processing on page 2)• Network address translation (NAT) capabilities (refer to NAT on page 4)• Stateful inspection firewall (refer to Stateful Policies versus Stateless Policies on page 5)• Network traffic management when used in conjunction with ACLs and ACPs (refer to ACLs and ACPs
on page 6)
Firewall Processing
Firewall processing protects the network by blocking attacks, filtering sessions from unrecognized origins, and monitoring session activity. The sections which follow describe this functionality in more detail.
Attack ProtectionDetects and discards traffic that matches profiles of known networking exploits or attacks. Use the ip firewall command to enable firewall attack protection. The SROS blocks traffic (matching patterns of known networking exploits) from traveling through the device. Some of these attacks may be manually disabled, while other attack checks are always on any time the firewall is enabled.
Table 1 on page 3 outlines the types of traffic discarded by the firewall. Many attacks use similar invalid traffic patterns; therefore, attacks other than the examples listed in the table may also be blocked by the firewall.
IP Firewall Configuration Guide Understanding IP Firewall Protection
5991-2119 3
Table 1. Traffic Blocked by Firewall Attack Protection Engine
Invalid Traffic Pattern SROS Firewall Response Common Attacks
Larger than allowed packets
Any packets that are longer than those defined by standards will be dropped.
Ping of Death
Fragmented IP packets that produce errors when attempting to reassemble
The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped.
SynDrop, TearDrop, OpenTear, Nestea, Targa, Newtear, Bonk, Boink
Smurf Attack The firewall drops any ping responses that are not part of an active session.
Smurf Attack
IP Spoofing The firewall drops any packets with a source IP address that appears to be spoofed. The IP route table is used to determine if a path to the source address is known (out of the interface from which the packet was received). For example, if a packet with a source IP address of 10.10.10.1 is received on interface fr 1.16 and no route to 10.10.10.1 (through interface fr 1.16) exists in the route table, the packet is dropped.
IP Spoofing
ICMP Control Message Floods and Attacks
The following types of ICMP packets are allowed through the firewall: echo, echo-reply, TTL expired, dest unreachable, and quench. These ICMP messages are only allowed if they appear to be in response to a valid session. All others are discarded.
Twinge
Attacks that send TCP URG packets
Any TCP packets that have the URG flag set are discarded by the firewall.
Winnuke, TCP XMAS Scan
Falsified IP Header Attacks
The firewall verifies that the packet’s actual length matches the length indicated in the IP header. If it does not, the packet is dropped.
Jolt/Jolt2
Echo All UDP echo packets are discarded by the firewall. Char Gen
Land Attack Any packets with the same source and destination IP addresses are discarded.
Land Attack
Broadcast Source IP Packets with a broadcast source IP address are discarded.
Invalid TCP Initiation Requests
TCP SYN packets that have ack, urg rst, or fin flags set are discarded.
Invalid TCP Segment Number
The sequence numbers for every active TCP session are maintained in the firewall session database. If the firewall received a segment with an unexpected (or invalid) sequence number, the packet is dropped.
IP Source Route Option All IP packets containing the IP source route option are dropped.
Understanding IP Firewall Protection IP Firewall Configuration Guide
4 5991-2119
Session Initiation ControlSession initiation controls allow only sessions that match traffic patterns permitted by ACPs to be initiated through the router.
Ongoing Session Monitoring and ProcessingThe SROS continues monitoring session activity as described below:• Each session that has been allowed through the router is monitored for any irregularities that match
patterns of known attacks or exploits. Offending traffic is dropped. • If NAT is configured, the firewall modifies all traffic associated with the session according to the
translation rules defined in NAT ACPs. • If sessions are inactive for a user-specified amount of time, the session is closed by the firewall.
Application-Specific ProcessingCertain applications need special handling to work correctly in the presence of a firewall. SROS uses Application-level Gateways (ALGs) for these applications. ALGs are aware of protocols not easily integrated with NAT or firewalls that create associations which allow these protocols to work transparently.
For example, the FTP ALG will not only create the associations to allow the control session (using TCP Port 21) to pass data, but will also create associations to allow the server-initiated data sessions to work (using TCP Port 20). This allows FTP clients to pass through the SROS firewall and ACPs without using passive mode. The SROS firewall includes ALGs for handling the following applications and protocols:• AOL Instant Messenger• VPN ALGS: ESP and IKE• FTP• H.323: H.245, Q.931, ASN1 PER decoding and encoding• ICQ• IRC• Microsoft Games• Net2Phone• PPTP• Quake• Real-Time Streaming Protocol• SMTP• HTTP
NAT
Network Address Translation (NAT) is an Internet Engineering Task Force (IETF) standard method of preserving Internet address space. Additionally, it can be used to hide the structure of server farms behind a router in order to provide bandwidth sharing to Web, FTP, and application servers. Details on NAT configuration are beyond the scope of this document. For more information, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD. This document is also available on the ProCurve Networking Web site(www.procurve.com).
IP Firewall Configuration Guide Understanding IP Firewall Protection
5991-2119 5
Stateful Policies versus Stateless Policies
The SROS unit acts as an ALG and employs a stateful inspection firewall that protects an organization's network from common cyber attacks including TCP SYN-flooding, IP spoofing, ICMP redirect, land attacks, ping-of-death, and IP reassembly problems.
It is important to point out the differences between the operation of SROS stateful policies and stateless filters. For example, consider an application where a host located behind a firewall device initiates an outbound session to a server on the Internet. If the firewall is configured to use stateless filters, two or more filters must be defined to do the following: • Allow the outbound traffic from the host to the Internet• Allow inbound traffic (responses from the initiated session)
Typically, the inbound filter list needs to reject sessions initiated from the Internet, while allowing other responses to sessions initiated from the private network. Because the filter lists have no knowledge of the state of the session (sequence numbers, inactivity time, etc.), there is a possibility that an attacker will be able to “fool” the configured filter lists and direct malicious traffic through the firewall.
With stateful policies, however, a single policy is configured that permits the traffic from the host to be initiated to the Internet. The SROS stateful inspection firewall creates an association for this session and stores it in an internal database. When the server on the Internet sends a response back to the host, the SROS stateful inspection firewall recognizes that this traffic is associated with an allowed session and permits the traffic. Since the firewall has detailed knowledge about the current state of every session flowing through the device, it is much more difficult for an attacker to generate traffic that is not blocked by the firewall.
Session filtering based on inactivity may sometimes occur sooner than is desirable. Use the ip policy-timeout command to customize timeout intervals for protocols (TCP, UDP, ICMP) or specific services (by listing the particular port number). The default timeout for TCP protocols is 600 seconds, UDP protocols is 60 seconds, and ICMP is 60 seconds.
The following example creates customized policy timeouts for the following:• WWW (Internet traffic using TCP Port 80): timeout 24 hours (86,400 seconds)• Telnet (TCP Port 23): timeout 20 minutes (1200 seconds)• FTP (21): timeout 5 minutes (300 seconds)• All other TCP services: timeout 8 minutes (480 seconds)
(config)# ip policy-timeout tcp www 86400 (config)# ip policy-timeout tcp telnet 1200 (config)# ip policy-timeout tcp ftp 300 (config)# ip policy-timeout tcp all_ports 480
Understanding IP Firewall Protection IP Firewall Configuration Guide
6 5991-2119
ACLs and ACPs
ACLs and ACPs regulate traffic through the routed network. When designing your traffic flow configuration, it is important to keep the following in mind:• An ACL is inactive until it is assigned to an active ACP.• An ACP is inactive until it is assigned to an interface.
Figure 1 illustrates the steps necessary for activating ACLs and ACPs.
Figure 1. Activating ACLs and ACPs
Access Control Lists (ACLs) ACLs are used as packet selectors by ACPs. They must be assigned to an ACP in order to be active. ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and a packet pattern. A permit ACL is used to permit packets (meeting the specified pattern) to enter the router system. A deny ACL advances the SROS to the next ACP entry. The SROS provides two types of ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended ACLs may specify patterns using most fields in the IP header and the TCP or UDP header.
Access Control Policies (ACPs)ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector (i.e., an ACL) and an action (allow, discard, NAT). When packets are received on an interface, the configured ACPs are applied to determine whether the data is processed or discarded.
Both ACLs and ACPs are order-dependent. When a packet is evaluated, the matching engine begins with the first entry in the list and progresses through the entries until it finds a match. The first entry that matches is executed. They both have an implicit deny at the end of the list. Typically, the most specific entries should be at the top and the most general at the bottom.
ACLCreate an ACL and define permissions:(config)#ip access-list standard MATCHALL(config-std-nacl)#permit any
Create an ACP and assign the ACL to it:(config)#ip policy-class TRUSTED(config-policy-class)#allow list MATCHALL
Assign the ACP to an interface:(config)#interface eth 0/1(config-eth 0/1)#access-policy TRUSTED
ACP
Interface
IP Firewall Configuration Guide Understanding IP Firewall Protection
5991-2119 7
Packet Flow
The Packet Flow section describes how packets are processed in several possible scenarios of ACP configuration.
Scenario 1 Packets traveling from an interface with an assigned ACP to any other interfaceACPs are applied when packets are received on an interface. If an interface has no assigned ACP, the interface allows all received traffic to pass through by default. If an interface has an assigned ACP, but the firewall has not been enabled with the ip firewall command, traffic flows normally from this interface with no ACP processing.
Scenario 2 Packets traveling in and out of a single interface with an assigned ACPThese packets are processed through the ACPs as if they are destined for another interface (identical to Scenario 1). Again, note that the ip firewall command must be enabled for ACP processing to take place.
Scenario 3 Packets traveling from an interface without an assigned ACP to an interface with an assigned ACPThese packets are routed normally and are not processed by the ACP.
Scenario 4 Packets traveling from an interface without an assigned ACP to another interface without an assigned ACPThis traffic is routed normally. The ip firewall command has no effect on this traffic other than to prevent attacks entering the interface.
Interface Association List Access Control Polices(permit, deny, NAT) Route Lookup Packet OutPacket In
If session hit,or no ACP configured
Configuring Your Secure Router IP Firewall Configuration Guide
8 5991-2119
Configuring Your Secure Router
The remainder of this document provides examples designed to clarify the use of access policies. The following section, Creating and Assigning ACLs and ACPs on page 8, gives an overview of the four basic steps necessary when creating ACLs and ACPs.
Creating and Assigning ACLs and ACPs
Creating ACLs and ACPs to regulate traffic through the routed network requires four steps:
Step 1Enable the security features of the SROS using the ip firewall command.
Step 2Create an ACL (using the ip access-list command) and configure it to permit or deny specified traffic. Standard ACLs provide pattern matching for source IP addresses only. (Use extended ACLs for more flexible pattern matching.) IP addresses can be expressed in one of three ways:• Using the keyword any to match any IP address. • Using the host <A.B.C.D> to specify a single host address. For example, entering
permit host 196.173.22.253 allows all traffic from the host with an IP address of 196.173.22.253.• Using the <A.B.C.D> <wildcard> format to match all IP addresses in a range. Wildcard masks
work in reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t care.” For example, entering permit 192.168.0.0 0.0.0.255 permits all traffic from the 192.168.0.0/24 network.
Step 3Create an ACP using the ip policy-class command. Possible actions performed by the ACP are as follows:• allow list <ACL names>
All packets passed by the ACL(s) entered are allowed to enter the router system.• discard list <ACL names>
All packets passed by the ACL(s) entered are dropped from the router system.• allow list <ACL names> policy <ACP name>
All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are permitted to enter the router system. This allows for configurations to permit packets to a single interface and not the entire system.
• discard list <ACL names> policy <ACP name> All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are blocked from the router system. This allows for configurations to deny packets on a specified interface.
• nat source list <ACL names> address <IP address> overload All packets passed by the ACL(s) entered are modified to replace the source IP address with the entered IP address. The overload keyword allows multiple source IP addresses to be replaced with the single IP address entered. This hides private IP addresses from outside the local network.
Warning Before applying an ACP to an interface, verify your Telnet connection will not be affected by the policy. If a policy is applied to the interface you are connecting through and it does not allow Telnet traffic, your connection will be lost.
IP Firewall Configuration Guide Configuring Your Secure Router
5991-2119 9
• nat source list <ACL names> interface <interface> overload All packets passed by the ACL(s) entered are modified to replace the source IP address with the primary IP address of the listed interface. The overload keyword allows multiple source IP addresses to be replaced with the single IP address of the specified interface. This hides private IP addresses from outside the local network.
• nat destination list <ACL names> address <IP address> All packets passed by the ACL(s) entered are modified to replace the destination IP address with the entered IP address. The overload keyword is not an option when performing NAT on the destination IP address. Each private address must have a unique public address. This hides private IP addresses from outside the local network.
Step 4Apply the ACP to an interface. To do this, enter access-policy <policy name> while in the desired interface’s configuration mode. The following example assigns access policy MATCHALL to the Ethernet 0/1 interface: (config)# interface ethernet 0/1 (config-eth 0/1)# access-policy MATCHALL
Configuration Examples
To illustrate these basic steps, the following configurations are given in detail as examples:• Outbound Internet Access on page 10
– Step-by-Step Configuration: Outbound Internet Access on page 10– Sample Script on page 11
• Inbound Internet Access on page 12– Step-by-Step Configuration: Inbound Internet Access on page 12– Sample Script on page 13
• Network Address Translation (NAT) on the WAN Interface on page 14– Step-by-Step Configuration: NAT on the WAN Interface on page 14– Sample Script on page 16
The first example demonstrates the router configuration for a simple network that allows the LAN to get to the Internet, but blocks unwanted traffic from the Internet. The second example shows how to modify the same configuration to allow traffic to a web server from the Internet. The third example explains how to further modify the configuration to perform NAT from the Internet.
Configuration steps for each example are provided in the tables which follow the configuration descriptions. You can follow the given steps by entering the command text shown in bold (modifying as needed for your application).
Note Please note that these examples are given for your study and consideration only. They are to help you reach a better understanding of the fundamental concepts before configuring your own application. It will be necessary for you to modify these examples to match your own network’s configuration.
Use the sample scripts in this section as a shortcut to configuring your unit. Use the text tool in Adobe Acrobat to select and copy the scripts, paste them into any text editing program, modify as needed, and then paste them directly into your SROS command line.
Configuring Your Secure Router IP Firewall Configuration Guide
10 5991-2119
Example 1: Outbound Internet Access
This is a simple network configuration using public IP addresses on the LAN. This configuration allows the LAN traffic to reach the Internet, but does not allow traffic from the Internet to reach the LAN (unless it matches the outbound sessions already created).
Table 2. Step-by-Step Configuration: Outbound Internet Access
Step Action Command
1 Enter Enable Security mode. >enable
2 Enter Global Configuration mode. #configure terminal
3 Enable IP firewall functionality. (config)#ip firewall
4 Create the ACL MATCHALL and enter the standard ACL command set.
(config)#ip access-list standard MATCHALL
5 Configure this ACL to permit all packets.
(config-std-nacl)#permit any
6 Exit to Global Configuration mode. (config-std-nacl)#exit
7 Add a default route to the route table.
(config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1
8 Create the ACP TRUSTED and enter its access control policycommand set.
(config)#ip policy-class TRUSTED
9 Configure this ACP to allow any traffic that matches the ACL MATCHALL to enter the router system.
(config-policy-class)#allow list MATCHALL
10 Exit to Global Configuration mode. (config-policy-class)#exit
11 Create the ACP UNTRUSTED and enter its access control policy command set.
(config)#ip policy-class UNTRUSTED
12 Configure this ACP to discard any traffic that matches the ACL MATCHALL.
(config-policy-class)#discard list MATCHALL
13 Exit to Global Configuration mode. (config-policy-class)#exit
14 Access configuration parameters for the Ethernet port.
(config)#interface eth 0/1
15 Assign an IP address and subnet mask to the Ethernet port.
(config-eth 0/1)#ip address 63.12.5.254 255.255.255.0
IP Firewall Configuration Guide Configuring Your Secure Router
5991-2119 11
Sample Script
!ip firewallip route 0.0.0.0 0.0.0.0 63.12.1.1ip access-list standard MATCHALL permit any! - Create the Access-List “MATCHALL”.! - Permit any IP address.!ip policy-class TRUSTED allow list MATCHALL ! - Create the Policy-Class “TRUSTED”.! - For any interface using Policy-Class “TRUSTED” allow Access-List “MATCHALL”.! - Since the Policy-Class “TRUSTED” allows anything matching Access-List “MATCHALL”! - and “MATCHALL” permits “Any”, Any incoming packets will be Allowed by this ! - Policy-Class.ip policy-class UNTRUSTED discard list MATCHALL! - Create the Policy-Class “UNTRUSTED”.! - For any interface using Policy-Class “UNTRUSTED” discard Access-List “MATCHALL”.
!interface eth 0/1 ip address 63.12.5.254 255.255.255.0 access-policy TRUSTED ! - Apply the Policy-Class “TRUSTED” to the Ethernet interface.
16 Apply the ACP TRUSTED to the Ethernet port.
(config-eth 0/1)#access-policy TRUSTED
Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP.
17 Exit to Global Configuration mode. (config-eth 0/1)#exit
18 Access configuration parameters for the PPP interface.
(config)#interface ppp 1
19 Assign an IP address and subnet mask to the WAN interface.
(config-ppp 1)#ip address 63.12.1.2 255.255.255.248
20 Apply the ACP UNTRUSTED to the WAN interface.
(config-ppp 1)#access-policy UNTRUSTED
Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP.
21 Exit to Global Configuration mode. (config-ppp 1)#exit
Table 2. Step-by-Step Configuration: Outbound Internet Access (Continued)
Step Action Command
Configuring Your Secure Router IP Firewall Configuration Guide
12 5991-2119
!interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED ! - Apply the Policy-Class “UNTRUSTED” to the WAN interface. ! - Since the Policy-Class “UNTRUSTED” discards anything matching Access-List “MATCHALL”! - and “MATCHALL” permits “Any”, Any incoming packets will be Discarded by this ! - Policy-Class.
Example 2: Inbound Internet Access
This example is a simple network configuration using public IP addresses on the LAN. This configuration allows outbound access to the Internet and inbound access to the web server. This configuration is similar to the previous example (all changes are shown in bold text in the Sample Script on page 13).
Table 3. Step-by-Step Configuration: Inbound Internet Access
Step Action Command
1 Enter Enable Security mode. >enable
2 Enter Global Configuration mode. #configure terminal
3 Enable IP firewall functionality. (config)#ip firewall
4 Create the ACL MATCHALL and enter the standard ACL command set.
(config)#ip access-list standard MATCHALL
5 Configure this ACL to permit all packets. (config-std-nacl)#permit any
6 Exit to Global Configuration mode. (config-std-nacl)#exit
7 Create the extended ACL INWEB and enter the extended access-list command set.
(config)#ip access-list extended INWEB
8 Permit any TCP traffic with a destination address of 63.12.5.253 and a destination port of 80 (HTTP).
(config-ext-nacl)#permit tcp any host 63.12.5.253 eq 80
9 Add a default route to the route table. (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1
10 Create the ACP TRUSTED and enter its access control policy command set.
(config)#ip policy-class TRUSTED
11 Configure this ACP to allow any traffic that matches the ACL MATCHALL to enter the router system.
(config-policy-class)#allow list MATCHALL
12 Exit to Global Configuration mode. (config-policy-class)#exit
13 Create the ACP UNTRUSTED and enter its access control policy command set.
(config)#ip policy-class UNTRUSTED
14 Configure this ACP to allow any traffic that matches the ACL INWEB to enter the router system.
(config-policy-class)#allow list INWEB
IP Firewall Configuration Guide Configuring Your Secure Router
5991-2119 13
Sample Script
!ip firewallip access-list standard MATCHALL permit any!ip access-list extended INWEB permit tcp any host 63.12.5.253 eq 80 ! - Create Extended Access-List “INWEB”! - Permit any TCP traffic with a destination address of 63.12.1.253 and a destination port of 80 (HTTP).!ip route 0.0.0.0 0.0.0.0 63.12.1.1!ip policy-class TRUSTED allow list MATCHALL!
15 Configure this ACP to discard any traffic that matches the ACL MATCHALL.
(config-policy-class)#discard list MATCHALL
Note: The ACP UNTRUSTED will now allow packets matching ACL INWEB (prior to discarding incoming packets matching the ACL MATCHALL).
16 Exit to Global Configuration mode. (config-policy-class)#exit
17 Access configuration parameters for the Ethernet port.
(config)#interface eth 0/1
18 Assign an IP address and subnet mask to the Ethernet port.
(config-eth 0/1)#ip address 63.12.5.254 255.255.255.0
19 Apply the ACP TRUSTED to the Ethernet port.
(config-eth 0/1)#access-policy TRUSTED
Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP.
20 Exit to Global Configuration mode. (config-eth 0/1)#exit
21 Access configuration parameters for the PPP interface.
(config)#interface ppp 1
22 Assign an IP address and subnet mask to the WAN interface.
(config-ppp 1)#ip address 63.12.1.2 255.255.255.248
23 Apply the ACP UNTRUSTED to the WAN interface.
(config-ppp 1)#access-policy UNTRUSTED
Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP.
24 Exit to Global Configuration mode. (config-ppp 1)#exit
Table 3. Step-by-Step Configuration: Inbound Internet Access (Continued)
Step Action Command
Configuring Your Secure Router IP Firewall Configuration Guide
14 5991-2119
ip policy-class UNTRUSTED allow list INWEB discard list MATCHALL! - Allow any traffic that matches Access-List “INWEB”,! - Before discarding any traffic that matches Access-List “MATCHALL”.
!interface eth 0/1 ip address 63.12.5.254 255.255.255.0 access-policy TRUSTED!interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED
Example 3: Network Address Translation (NAT) on the WAN Interface
This example is a simple network using private IP addresses on the LAN and providing NAT on the WAN interface to the Internet. The configuration allows the LAN traffic to reach the Internet by performing NAT. Traffic from the Internet is discarded unless it matches the outbound sessions already created (or has a destination address and port that match the web server). Changes to the previous configuration are shown in bold text in the Sample Script on page 16.
Table 4. Step-by-Step Configuration: NAT on the WAN Interface
Step Action Command
1 Enter Enable Security mode. >enable
2 Enter Global Configuration mode. #configure terminal
3 Enable IP firewall functionality. (config)#ip firewall
4 Create the ACL MATCHALL and enter the standard access-listcommand set.
(config)#ip access-list standard MATCHALL
5 Permit all packets through the configured ACL.
(config-std-nacl)#permit any
6 Exit to Global Configuration mode. (config-std-nacl)#exit
7 Create the extended ACL INWEB and enter the extended access-list command set.
(config)#ip access-list extended INWEB
8 Permit any TCP traffic with a destination address of 63.12.1.3 and a destination port of 80 (HTTP).
(config-ext-nacl)#permit tcp any host 63.12.1.2 eq 80
9 Add a default route to the route table.
(config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1
10 Create the ACP TRUSTED and enter its ACP command set.
(config)#ip policy-class TRUSTED
IP Firewall Configuration Guide Configuring Your Secure Router
5991-2119 15
11 Enable NAT for traffic that matches the ACL MATCHALL and change the source address to 63.12.1.2.
(config-policy-class)#nat source list MATCHALL address 63.12.1.2 overload
12 Exit to Global Configuration mode. (config-policy-class)#exit
13 Create the ACP UNTRUSTED and enter its ACP command set.
(config)#ip policy-class UNTRUSTED
14 Enable NAT for traffic that matches the ACL INWEB and change the destination address to 192.168.0.253.
(config-policy-class)#nat destination list INWEB address 192.168.0.253
15 Configure this ACP to discard any traffic that matches the ACL MATCHALL.
(config-policy-class)#discard list MATCHALL
16 Exit to Global Configuration mode. (config-policy-class)#exit
17 Access configuration parameters for the Ethernet port.
(config)#interface eth 0/1
18 Assign an IP address and subnet mask to the Ethernet port.
(config-eth 0/1)#ip address 192.168.0.254 255.255.255.0
19 Apply the ACP TRUSTED to the Ethernet port.
(config-eth 0/1)#access-policy TRUSTED
Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP.
20 Exit to Global Configuration mode. (config-eth 0/1)#exit
21 Access configuration parameters for the PPP interface.
(config)#interface ppp 1
22 Assign an IP address and subnet mask to the PPP interface.
(config-ppp 1)#ip address 63.12.1.2 255.255.255.248
23 Apply the ACP UNTRUSTED to the WAN interface.
(config-ppp 1)#access-policy UNTRUSTED
Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP.
24 Exit to Global Configuration mode. (config-ppp 1)#exit
Table 4. Step-by-Step Configuration: NAT on the WAN Interface (Continued)
Step Action Command
Configuring Your Secure Router IP Firewall Configuration Guide
16 5991-2119
Sample Script
!ip firewall!ip access-list extended INWEB permit tcp any host 63.12.1.3 eq 80 ! - Create Extended Access-List “INWEB”! - Allow any TCP traffic with a destination address of 63.12.1.3 with a destination port of 80 (HTTP).!ip route 0.0.0.0 0.0.0.0 63.12.1.1!ip policy-class TRUSTED nat source list MATCHALL address 63.12.1.2 overload! - Enable NAT for traffic that matches Access-List “MATCHALL” and change! - the source address 63.12.1.2ip policy-class UNTRUSTED nat destination list INWEB address 192.168.0.253 discard list MATCHALL! - Enable NAT for traffic that matches Access-List “INWEB” and change! - the destination address to 192.168.0.253.!ip access-list standard MATCHALL permit anyinterface eth 0/1 ip address 192.168.0.254 255.255.255.0 access-policy TRUSTED! - The IP address is changed to the private address scheme.!interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED
IP Firewall Configuration Guide Verifying Your Configuration Using Show Commands
5991-2119 17
Verifying Your Configuration Using Show Commands
Use the following SROS show commands to display information regarding your configuration. Enter show commands at any prompt using the do command.
For example: (config-eth 0/1)#do show ip policy-session
Table 5. Show Commands
Command Description Sample Output
show ip access-list Displays all configured IP ACLs in the system.
Standard IP access list MATCHALL permit 192.168.1.0, wildcard bits 0.0.0.255 (31337 matches)Standard IP access list SERVER1_OUT permit host 192.168.1.100 (0 matches)Extended IP access list CORPORATE_TRAFFIC permit ip 192.168.1.0, wildcard bits 0.0.0.255 192.168.3.0, wildcard bits 0.0.0.255 (432829 matches)Extended IP access list CORPORATE_TRAFFIC_IN permit ip 192.168.3.0, wildcard bits 0.0.0.255 192.168.1.0, wildcard bits 0.0.0.255 (2194 matches)Extended IP access list REMOTE_USER_TRAFFIC permit ip 192.168.1.0, wildcard bits 0.0.0.255 10.10.10.0, wildcard bits 0.0.0.255 (178 matches)Extended IP access list REMOTE_USER_TRAFFIC_IN permit ip 10.10.10.0, wildcard bits 0.0.0.255 192.168.1.0, wildcard bits 0.0.0.255 (11 matches)
show ip policy-class Displays a list of currently configured ACPs.
ip policy-class max-sessions 30000Policy-class “TRUSTED”: 1 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC Entry 2 - allow list REMOTE_USER_TRAFFIC Entry 3 - nat source list SERVER1_OUT address 141.158.13.58 overload Entry 4 - nat source list MATCHALL address 141.158.13.62 overload
Policy-class “UNTRUSTED”: 2 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC_IN Entry 2 - allow list REMOTE_USER_TRAFFIC_IN
Verifying Your Configuration Using Show Commands IP Firewall Configuration Guide
18 5991-2119
show ip policy-session Displays a list of current ACP associations.
Protocol (TTL) Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port----------------- --------Policy class “TRUSTED”:tcp (523) 192.168.1.70 3790 152.155.209.24 80s 141.160.13.62 29008 Policy class “UNTRUSTED”:tcp (600) 208.25.151.99 1141 141.158.56.142 23 Policy class “self”:Policy class “default”:
show ip policy-stats Displays a list of current ACP statistics.
Global 3 current sessions (30000 max)Policy-class “TRUSTED”: 1 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC 10211717 in bytes, 1184 out bytes, 1140 hits Entry 2 - allow list REMOTE_USER_TRAFFIC 0 in bytes, 0 out bytes, 0 hits Entry 3 - nat source list SERVER1_OUT address 141.158.56.58 overload 0 in bytes, 0 out bytes, 0 hits Entry 4 - nat source list MATCHALL address 141.158.56.62 overload 66422200 in bytes, 230583087 out bytes, 31332 hitsPolicy-class “UNTRUSTED”: 2 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC_IN 1306324 in bytes, 139295 out bytes, 2194 hits Entry 2 - allow list REMOTE_USER_TRAFFIC_IN 1051 in bytes, 128 out bytes, 11 hits
Table 5. Show Commands (Continued)
Command Description Sample Output
IP Firewall Configuration Guide Managing Event Messages
5991-2119 19
Managing Event Messages
The SROS provides multiple levels of event messages. You can manage these messages in several ways, based on their assigned priority level. The levels are listed below, from least to most critical.
There are two management options for the event messages displayed on the console. The default behavior is to display levels 0 to 3 (i.e., Notice, Warning, Error, and Fatal messages). To display all levels, turn debug on (using the debug firewall command). If you turn debug off (no debug firewall), you fall back to displaying levels 0 to 3 (i.e., everything but Information and Debug).
There are additional management options available for event history storage, email notification, and syslog forwarding. If the event history storage is enabled (using the event-history on command), by default the SROS logs all messages with priority levels 0 through 3 (i.e. Notice, Warning, Error, and Fatal messages). You can use the following commands to change the default behavior and set an explicit priority level for the following options:• event-history priority <priority level#>: Sets the threshold for events stored in the event history. The
event log is displayed using the show event-history command. • logging email priority-level <priority level#>: Sets the threshold for events sent to the configured
email addresses (specified using the logging email address-list command). • logging forwarding priority-level <priority level#>: Sets the threshold for events sent to the
configured syslog server (specified using the logging forwarding receiver-ip command).
When setting the <priority level#>, keep the following in mind:• When priority 4 is selected, all events (priorities 0 through 4) are logged.• When priority 3 is selected, events with priority 3, 2, 1, or 0 are logged.• When priority 2 is selected, events with priority 2, 1, or 0 are logged.• When priority 1 is selected, events with priority 1 or 0 are logged. • When priority 0 is selected, only events with priority 0 are logged.
Table 6 on page 20 provides a list of event messages related to the firewall (along with the designated priority levels).
Priority Level Number Priority Level
5 Debug
4 Information
3 Notice
2 Warning
1 Error
0 Fatal
Managing Event Messages IP Firewall Configuration Guide
20 5991-2119
Table 6. Firewall Events
Event Message Priority Level
Modified Ack: <#> *Generated with changes to an incoming ACK.
Debug
Attempt to login with a wrong name <username> from <ip address> Debug
Attempt to login through browser by <username> from <ip address> Debug
Invalid password supplied by <username> from <ip address> Debug
Attempt to login through Site Authentication by <username> Debug
Unable to allocate memory for RTSP Control Connection Debug
No memory for RTSP control connection Debug
No Empty record to store new data Debug
Nat Port not available Debug
Unexpected End of packet Debug
Client Port and NatPort do not match Debug
Unable to create new connection Debug
IGWbuf allocation failed*Generated when buffer allocation fails.
Debug
Memory not allocated for RTSP data connection Debug
NatPort and Client ports do not match Debug
Unable to allocate memory for RTSP Data connection Debug
Error in creating new connection Debug
Attacks: SynAck: No memory buffers Debug
Attacks: SynAck: Header formation error Debug
ADCreateAssoc: This should not happen*Generated with an invalid user name on a dynamic NAT address.
Error
ADCreateAssoc: Failure in getting IpAddress from Dim Error
UDB found bad user name while retrieving from DBM Error
UDB failed in allocating memory while loading Error
UDB failed in allocating memory for New User Error
<username> is an invalid user Error
Invalid password, auth failed for user <username> Error
Authentication failed for user <username> Error
UDB got an authentication req for user name: <username> Error
Auth successful for <username> :: priv: <privilege level> Incat tmr: <#> Error
IP Firewall Configuration Guide Managing Event Messages
5991-2119 21
IGWIpYankHdr : Count in IGWbuf < IGW_IPLEN*Generated when the unit receives packets with an invalid IP header length.
Error
IpYankHdr : IGWbuf too small to yank IP hdr*Generated when the unit receives packets with an invalid IP header length.
Error
IGWIpYankHdr : Checksum returned error*Generated with an invalid checksum.
Error
IpYankHdr : Length in IP datagram < IP hdr len Error
\nISStatsInit: Failed to set current time Error
Attacks: SendAck: Unable to form IpHdr Error
Crossed 80%% of resource. Possible flooding (TCP) Error
Original Src %s Dst %s TCP Src:%lu Dst:%lu, dropping packet*Generated when logging ICMP messages.
Error
Original Src %s Dst %s UDP Src:%ld Dst:%ld, dropping packet*Generated when logging ICMP messages.
Error
Original Src %s Dst %s ICMP Type:%d, dropping packet*Generated when logging ICMP messages.
Error
ICMP error message contains less data than expected (possible attack), dropping packet
Error
Dropping ICMP packet of type %d Error
Packet with unsupported IP Protocol received, dropping packet Error
Possible Land Attack detected, dropping packet Error
Unable to find route for source, dropping packet Error
Spoofing detected, dropping packet Error
Source IP is a broadcast address, dropping packet Error
Unable to determine route to destination, dropping packet Error
TCP connection request received is invalid, dropping packet Error
Invalid ack value received for connection, dropping packet Error
UDP echo response received for uninitiated echo request (possible smurf attack), dropping packet
Error
Echo response for uninitiated echo request (possible smurf attack), dropping packet Error
Packet with unsupported IP Protocol received, dropping packet Error
General attack detected, dropping packet Error
Terminating connection as WinNuke Attack detected, OOB packet Error
Invalid sequence number received with Reset, dropping packet Error
Zero bytes transferred for connection Error
Data connection not established from remote Error
Table 6. Firewall Events (Continued)
Event Message Priority Level
Managing Event Messages IP Firewall Configuration Guide
22 5991-2119
Attempt to login with a wrong name %s from %s Error
Attempt to login through browser by %s from %s Error
Invalid password supplied by %s from %s Error
User %s logged in from %s Error
Attempt to login through Site Authentication by %s Error
Ping of Death attack found Error
Length in IP Header > Data length. Possible JOLT attack Error
Reassembly is currently disabled Error
IpReassembly Fragment count exceeds max limit Error
IpReassembly Datagram size exceeds max limit Error
IpReassembly time out Error
IP Spoofing check bypassed for RIP packet Information
Packet out of order Information
Dropping out of order packet Information
Incoming NatIp <ip address> Information
GetPortMap failed. Exiting function. Information
date =%s*Generated when showing last login data.
Information
time = %S*Generated when showing last login data.
Information
UDBVerifyUser:Authenticating user from user data base Information
Attacks: SendAck: IpHdr formed successfully Information
Attacks: SendAck: Source = %lx Destination = %lx Cnt = %d Information
IGWBuf in Firewall is %x*Generated when showing firewall buffer.
Information
Deny Access Policy matched, dropping packet Information
Bytes transferred for connection: %lu Information
Unable to allocate memory for NAT portmap (%lx->%lx) Notice
Attempt to de-register port map for unavailable NIP %lx-%lx Notice
Something went wrong in function ADLDelNatPort*Generated when listen port is null.
Notice
Unable to get PortMap for NAT %lx Port %d Notice
ADAlgRegisterNatPorts:Invalid Range StartPort %ld EndPort %ld Notice
ADAlgRegisterNatPorts:Trying to register twice. AlgId %d Protocol %d Notice
Table 6. Firewall Events (Continued)
Event Message Priority Level
IP Firewall Configuration Guide Managing Event Messages
5991-2119 23
ADAlgRegisterNatPorts:Some ports in the specified Range already Registered AlgId %d Protocol %d StartPort %ld EndPort %ld
Notice
ADAlgRegisterNatPorts: Unable to get memory Notice
Ceiling for number of connections reached, dropping packet Notice
Maximum connections to box reached, dropping packet Notice
Memory allocation for connection failed, dropping packet Notice
Send Syn to corporate network failed Notice
Received DHCP request Notice
Unable to send syn packet Notice
Attempt to release incorrect TCP nat port Notice
Attempt to release incorrect UDP nat port Notice
Attempt to release incorrect ICMP nat port Notice
Unable to get Port for Protocol %d Notice
Unable to get PortMap for NAT %lx:%ld Port %u Notice
Unable to free Unknown Protocol NAT port for %lx:%ld Notice
Unable to free TCP NAT port for %lx:%ld Notice
Unable to free UDP NAT port for %lx:%ld Notice
Unable to free ICMP NAT port for %lx:%ld Notice
Unable to free GRE NAT port for %lx:%ld Notice
Memory allocation for AppRegister failed Notice
H.323:Failed to Allocate Nat Port Notice
H.323:Failed to Create memory for pH323_T120 Notice
H.323:Failed to Create memory for pH323_RtpRtcp Notice
H.323:Failed to make connection for H323T120 Notice
H.323:Failed to make connection for H323RtpRtcp Notice
H.323:Failed to Allocate Memory for H323T120 Notice
Ftp ALG Alloc Entry Failed! Notice
Invalid FTP PASV cmd reply seen, dropping packet Notice
FTP Get port failed Notice
H.323:Registration Failed because InitPerBuffers Failed Notice
H.323: Unable to get Nat port Notice
H.323:Failed to Allocate memory for H323_H245 Connection Notice
H.323:Failed to make H323_H245 Connection Notice
Table 6. Firewall Events (Continued)
Event Message Priority Level
Managing Event Messages IP Firewall Configuration Guide
24 5991-2119
N2P ALG Alloc Entry Failed! Notice
Pptp Alloc Entry Failed! Notice
Rpc Alloc Entry Failed! Notice
RPC Program Number %lu denied Notice
Stored RPC transaction Id doesn't match server response, dropping packet Notice
RPC Server's response is undecipherable, dropping packet Notice
IRC:Failed to allocate memory for IRC connection Notice
IRC:No of Messages are more than MAX_IRC_REQUESTS Notice
IRC:Size of Message is more than MAX_IRCSIZE Notice
IRC:Something wrong 1*Generated when too much data is present.
Notice
IRC:Something gone wrong in Notice Message*Generated when too much data is present.
Notice
IRC:Something wrong 2*Generated when too much data is present.
Notice
IRC:Unable to Allocate memory for IRCData Notice
IRC:Unable to create dynamic association for IRC Notice
IRC:Unable to create IGWbuf for IRC Notice
RTSP:Failed to allocate memory for RTSP connection Notice
RTSP:Failed to allocate IGWbuf for RTSP connection Notice
RTSP:Failed to NatPort for RTSP connection Notice
RTSP:Failed to Create RTSP Data connection Notice
Access Policy not found, dropping packet Warning
IN bound Access Policy not found, dropping packet Warning
FTP Cmd %.10s denied, dropping packet Warning
SMTP Cmd %.10s denied, dropping packet Warning
Attempt to contact ProxyServer, dropping packet Warning
HTTP File %.20s denied, dropping packet Warning
Table 6. Firewall Events (Continued)
Event Message Priority Level
Copyright 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.