Manuals / Force10 Networks / Computer Equipment / Network Card

Force10 Networks 100-00055-01 manual Allowing Traffic through the Firewall

Models: 100-00055-01

1 132

Download 132 pages 61.04 Kb

Page 77

Allowing Traffic through the Firewall

To allow packets through the firewall you must write rules so that packets that you want the appliance to forward match those rules. Rules can be as simple as allowing traffic destined to a port. Stateful rules can be used to allow all traffic for an established connection. To allow non-IP traffic to pass through the firewall, you must select “Yes” for compiler option 2, as described in Table 8 on page 56.

Sample rules for a firewall deployment are available in file pnic-compiler/rules/fw.rules.

Writing Rules for a Firewall Deployment

Rules for a firewall deployment are written in the same Snort-based syntax as IDS/IPS rules. The difference is that you must describe packets that you want to forward, rather than block. See P-Series Rule Syntax on page 66.

In Table 25 stateful rules are used to allow specified traffic into the internal network. Notice that in the incoming direction, the policies require that the packet be destined to a set of allowed ports, while in the outgoing direction, there is no port requirement. This asymmetry produces typical firewall behavior.

The Drop mode can also accommodate arbitrary rules that do not assume an inside and outside interface. This is an attractive quality since the notion of inside and outside is often blurred in modern network topologies. Also note that traditional IPS and IDS rules can be coupled with the firewall rules to block packets and/or capture suspicious packets.

P-Series Installation and Operation Guide, version 2.3.1.2

77

Image 77

Force10 Networks 100-00055-01 manual Allowing Traffic through the Firewall, Writing Rules for a Firewall Deployment

Contents

May 27 P-Series Installation and Operation GuideVersion Trademarks Copyright 2008 Force10 NetworksStatement of Conditions USA Federal Communications Commission FCC StatementContents ContentsInstallation PrefaceGraphical User Interface Command Line InterfaceChapter Web-based ManagementBasic Unix Commands Command Line ReferenceCompiling Rules Writing RulesGlossary Appendix EAppendix F Technical SupportAbout this Guide PrefaceObjectives AudienceRelated Documents Information SymbolsAdditional Resources P-Series Release NotesChapter InstallationPB-10GE-2P System SpecificationsPhysical Connections Step Task Configuration BootingSecurity Check Upgrading Softwarefilename ~/upgradedirectory mkdir ~/upgradedirectorycd upgradedirectory scp username@serverabsolutepathcd upgradedirectory/pnic-compiler Commandcd upgradedirectory/firmware gmake installGetting Started Returning to the Default ConfigurationChapter To begin inspecting and filtering traffic you mustGetting Started Chapter IntroductionHardware Architecture Overview Sample Rules and Firmware Types of RulesFirewall Deployment” on page Rule ManagementDeploying the P-Series Fail-safe Deployment Inline Deployment10-Gigabit Optical Bypass 10-GigabitPassive Deployment Highly-available DeploymentP1P0 10-GigabitNetwork Switch with SPAN port Capturing Matched TrafficNetwork Tap 10-Gigabit 10-Gigabit P-Series P10Capturing to a Host CPU PB-10GE-2P Mirroring to Another DeviceM1 P1 P0 M0 Traffic to MonitorChapter 4 Graphical User Interface Command Description GUI CommandsPNIC0 Not Active Managing Rules, Policies, and Firmwaredirectory see “Editing Dynamic Rules with the GUI” on page Editing Dynamic Rules with the GUIGUI” on page To manage firmware, see “Selecting Firmware with the GUI” on pageTo change capture/forward policies Managing Capture/Forward Policies with the GUITo modify dynamic rules fn9000014 Selecting Firmware with the GUIfn9000013 Runtime Statistics Graphical User Interface Figure 19 Runtime Statistics for Channel 0 and 1-FPGA LoadedReloading Firmware Graphical User Interface To launch the P-Series Node Manager Chapter 5 Web-based ManagementLaunching the P-Series Node Manager Web-based Management Figure 21 Lauching the P-Series Node ManagerWeb-browser Security Certificates Managing the P-Series using Node ManagerMonitoring System Performance on page Managing Firmware Images on pageMonitoring System Performance Managing the Network Interface Card Managing Firmware ImagesWeb-based Management Figure 25 P-Series Node Manager Card Management PanelManaging Policies Web-based Management Figure 26 P-Series Node Manager Policy Managment PanelP-Series Sensors Chapter 6 Network Security MonitoringSguil Server Sguil ClientInstalling the Sguil Sensor Installing the Sguil SystemInstalling the Sguil Server Hardware and Software RequirementsWireshark Installing the Sguil ClientUninstalling the Sguil Server # win32 example set TLSPATH c/progra~1/Tcl/lib/tls1.4.1/tls14.dll Installation FilesWriting New Rules Running the Sguil SystemRunning the Sguil Sensor Running the Sguil Server To run the Sguil Client Running the Sguil Clientfn90027mp fn90028mpCLI Commands Chapter 7 Command Line InterfaceCLI commands are given in Command Line Reference on page Editing Dynamic Rules with the CLITo enable MAC rewriting In FigureRemoving VLAN Tags Command Line Interface Creating Rules Files Compiling RulesRules Capacity Compiling RulesMatch non-IP Traffic Target Devicepage 3 Match Fragmented IPv4 Packets or IPv4 Packets w/ Optionssee Figure 36 on page Segmentation Evasion RulesMaximum String see Figure 37 on pageEnter command gmake from pnic-compiler directory Figure 36 pnic-Compiler Option P-Series Installation and Operation Guide, versionStarting and Stopping the pnic-Compiler Summary of configurationto which the .mapping files in /usr/local/pnic Configuration and Generated Fileswhich the .bit files in /usr/local/pnic/0 are Firmware Filenames Compiler ErrorsSnort Rule Syntax Writing RulesSnort Rule Headers ActionSource Addresses ProtocolDirection Operator PortsP-Series Supported Snort Keywords P-Series Rule SyntaxSnort Rule Options Destination Address and PortStatic KeywordDynamic protocolStateful Matching Writing Stateful Rules∧ si Equation= si ⎬ then cpiIn Table Stateful Rule ExamplesThe meta.rules File Support for Snorts flow KeywordHandling Segmentation Evasion Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Chapter FirewallDeploying the P-Series as a Firewall Drop mode Disabled Drop mode Enabled Enabling the FirewallVerify Drop mode is Enabled Figure 39 Enabling and Disabling Drop ModeWriting Rules for a Firewall Deployment Allowing Traffic through the Firewall#permit let through and do not log to the host pnic aggregate-mode-disable on page Appendix A Command Line Referencepnic aggregate-mode-enable on page pnic apply-firmware on page pnic default-drop-disable on page pnic default-drop-enable on pagepnic temp-mem-disable on page pnic temp-mem-enable on page pnic aggregate-mode-disablepnic updatemacvalue on page pnic vlan-remove-disable on page pnic vlan-remove-enable on page pnic web-gui-start on pagepnic apply-firmware pnic aggregate-mode-enableCommands Parameters Command History Examplepnic show-firmwares Display the available firmwarepnic capture-on pnic capture-offEnable the capturing of packets via direct memory access Syntax Parameters Command History ExampleCommands pnic cardstatusSyntax Parameters Command History Example Commandspnic compilerules pnic default-drop-disableTemporary memory is disabled while the firewall is enabled pnic default-drop-enablepnic diag Parameters Command History ExampleVersion PMAIN2.3.0.014 root@localhost SW# Parameters Command History ExampleUsage Information pnic flow-teardown-enable pnic flow-teardown-disablepnic flow-teardown-disable pnic flow-teardown-enablevalue for an IP address pairs pnic getmachashindexEnable MAC rewriting pnic guiDisable MAC rewriting pnic updatemacvalueExample pnic gui Command ExampleP-Series Installation and Operation Guide, version Syntax Command History Example pnic helppnic help output omittedpnic linkup pnic linkdownSyntax Parameters Command History Example CommandsParameters Command History Example pnic loadconfCommands Syntax Parameters Command HistoryCorresponding Parameter Addresspnic loadparams deprecated pnic loadepromspnic loadeproms number pnic loadparams numberCorresponding Parameter AddressSyntax Parameters pnic loadrulesCommand History Example Usage Information pnic macrewrite-on pnic macrewrite-offSyntax pnic off pnic off deprecatedUsage Information Related Commands pnic on deprecatedSyntax Parameters Command History Example pnic on deprecatedpnic params pnic passive-mode-disablepnic passive-mode-enable pnic passive-mode-enableCommand Commandspnic restart pnic resetconfSyntax Parameters Command History Example Stop capturing and matchingDisable the network interface pnic sguil-sensor-startEnable the network interface Syntax Command History ExampleSyntax Parameters Command History Example Stop the Sguil sensor using the command pnic sguil-sensor-stopCommands pnic sguil-sensor-start -fSyntax Parameters Command History Example pnic sguil-sensor-stopCommands pnic sguil-sensor-start Start the Sguil sensorpnic show-firmwares pnic showconfSyntax Parameters Command History Example CommandsCommand History Example pnic showtechCommands Syntax Parameters Command HistoryLoad the capture/block configuration Load the runtime parameters pnic startEnable the network interface Disable the network interface using the command pnic stopEnable the network interface pnic stopCommands Syntax Parameters Command History Examplepnic temp-mem-enable pnic temp-mem-disableUse this command with the MAC rewrite feature pnic updatemacvaluepnic temp-mem-disable Enable MAC rewritingpnic vlan-remove-enable pnic vlan-remove-disablepnic vlan-remove-disable pnic vlan-remove-enablepnic web-gui-start pnic versionDisable the web server using the command pnic web-gui-stop Display the driver versionpnic web-gui-stop Enable the web server using the command pnic web-gui-startCommands Commandpnic web-gui-start CommandsExample RelatedAppendix A Snort Keywords Appendix Back number dsize number numberKeyword Keyword uricontent ! “datastring”Description Rule SyntaxAppendix B Evasion Rules Appendix C Meta and Evasion Rulesmeta Rules Appendix C Unix Commands Appendix D Basic Unix CommandsCommand DescriptionCommand vi CommandsDescription ? textGlossary Appendix ESPAN Port SnortState Static RulesAppendix F Accessing iSupport ServicesTechnical Support Manual PagesSerial Number see Locating P-Series Serial Numbers on page Contacting the Technical Assistance CenterLocating P-Series Serial Numbers To request replacement hardware, follow these steps Requesting a Hardware ReplacementTechnical Support