Firewall CLI Commands

Firewall CLI Commands

The XSR provides configuration objects which, used in policy rules, can be specified at the CLI. These and other firewall commands are, as follows:

Network - Identifies a network or host. A network with a subnet address or a host with an address and 32-bit mask is specified with ip firewall network. The command also configures a network or host residing on the trusted/internal or un-trusted/ external network.

Caution: Use care not to overlap internal and external address ranges since internal ranges take precedence over external ranges, and if an address exists in both ranges, the internal address will be considered for policy matching. In certain situations this may cause unexpected results, specifically if the other address in a policy is also internal and you expect a match for a policy rule to use that internal address against a wildcard such as ANY_EXTERNAL as the second address. This rule will not be matched if the address you expect to be part of ANY_EXTERNAL is also defined in an internal address range.

You can configure a network object from an internal address to any address on the Internet as follows:

XSR(config)#ip firewall network Any_address 1.0.0.1 255.255.255.254 external

or

XSR(config)#ip firewall network Internet 0.0.0.0 mask 0.0.0.0 external

Network group - Defines a group of network objects - you can group up to ten for simpler configuration referenced by a single name with ip firewall network-group. The intrinsic, pre-defined ANY_EXTERNAL and ANY_INTERNAL groups are maintained automatically by the firewall as long as you have defined at least one other internal or external group.

Service - Specifies an application’s protocol and source/destination ports with ip firewall service. Packets with the source port in the specified range will match this service as will packets with the destination port. TCP and UDP protocols are supported. Intrinsic services for all ports are ANY_TCP for TCP port ranges, and ANY_UDP for UDP port ranges.

Service group - Aggregates a number of service objects with ip firewall service-group. Typically, the service-group name is the specified application. You can group up to 10 objects.

Policy - Defines which applications can traverse the firewall and in which direction with ip firewall policy. Packets which match addresses and service are processed by these actions: allow, allow-auth, reject, log, reject, cls, etc. Configuration must observe these rules:

Any address combination - You can define network addresses as follows: external to internal, internal to external, and internal to internal. External to external is not supported.

Rule order - Earlier entered rules take precedence.

Deny All for Unicast packets - The XSR firewall observes a DENY ALL default policy. So, unless explicitly allowed, all packets are dropped both ways.

You should set a rule at the end of your configuration to handle default behavior in a specific direction. For example, in order to allow all packets from internal to external except for Telnet and FTP packets, rules for these applications must be defined first.

Then you must define a rule allowing access to ANY_INTERNAL source and ANY_EXTERNAL destination for any service. These values are case-sensitive.

XSR User’s Guide 16-19

Page 404 Page 406
Page 405
Image 405
Enterasys Networks X-PeditionTM manual Firewall CLI Commands
Page 404 Page 406
Top Page Image Contents