Force10 Networks 100-00055-01 specification

Allowing Traffic through the Firewall

To allow packets through the firewall you must write rules so that packets that you want the appliance to forward match those rules. Rules can be as simple as allowing traffic destined to a port. Stateful rules can be used to allow all traffic for an established connection. To allow non-IP traffic to pass through the firewall, you must select “Yes” for compiler option 2, as described in Table 8 on page 56.

Sample rules for a firewall deployment are available in file pnic-compiler/rules/fw.rules.

Writing Rules for a Firewall Deployment

Rules for a firewall deployment are written in the same Snort-based syntax as IDS/IPS rules. The difference is that you must describe packets that you want to forward, rather than block. See P-Series Rule Syntax on page 66.

In Table 25 stateful rules are used to allow specified traffic into the internal network. Notice that in the incoming direction, the policies require that the packet be destined to a set of allowed ports, while in the outgoing direction, there is no port requirement. This asymmetry produces typical firewall behavior.

The Drop mode can also accommodate arbitrary rules that do not assume an inside and outside interface. This is an attractive quality since the notion of inside and outside is often blurred in modern network topologies. Also note that traditional IPS and IDS rules can be coupled with the firewall rules to block packets and/or capture suspicious packets.

P-Series Installation and Operation Guide, version 2.3.1.2

77

Image 77

Force10 Networks 100-00055-01 manual Allowing Traffic through the Firewall, Writing Rules for a Firewall Deployment

Contents

Series Installation and Operation Guide Copyright 2008 Force10 Networks Contents Graphical User Interface Contents Command Line Reference Glossary Audience ObjectivesConventions Convention Description Keyword Symbol Warning Description Information SymbolsRelated Documents Additional Resources This LED is green when the power is on This LED is blue when the hard disk is accessedLabel Description This LED is not used PB-10GE-2P System SpecificationsPhysical Connections Step Task Configuration BootingOnce the appliance is booted Security Check Cp -Rf /usr/local/pnic/ /home Gmake installTar xvzf PTPS-PMAIN Cd SW Install pre-compiled firmware if needed Cd upgradedirectory/pnic-compilerRe-compile all rules firmware with the new compiler Located in the directory pnic-compiler Chapter Getting Started Returning to the Default Configuration Getting Started Hardware Architecture Overview Chapter Introduction Sample Rules and Firmware Types of RulesRx1 Tx1 Mirror Introduction Deploying the P-Series Rule ManagementSample Rules Files Rule Set Description Fail-safe Deployment Inline Deployment Passive Deployment Highly-available Deployment Series supports capturing matched traffic for analysis Capturing Matched Traffic Capturing Matched Traffic via the libpcap Interface Capturing to a Host CPU Creating an IDS Accelerator with the P-Series Mirroring to Another Device Graphical User Interface Invoke the GUI by entering the command pnic gui Command Description GUI CommandsGUI Commands Rule Management GUI Managing Rules, Policies, and Firmware Option Description Editing Dynamic Rules with the GUIPolicy Capture Permit Deny To modify dynamic rules Managing Capture/Forward Policies with the GUI Managing Capture/Forward Policies GUI Selecting Firmware with the GUI Select Manage Firmware see Figure Runtime StatisticsTo select firmware Runtime Statistics for Channel 0 and 1-FPGA Loaded Statistic Description Reloading FirmwareRuntime Statistics Description Graphical User Interface Launching the P-Series Node Manager Web-based Management Lauching the P-Series Node Manager Web-based Management Series Node Manager has four major management capabilities Managing the P-Series using Node ManagerWeb-browser Security Certificates Series Node Manager Home Panel Web-based Management Monitoring System Performance Managing the Network Interface Card Managing Firmware ImagesPage Managing Policies Page Network Security Monitoring Installing the Sguil Server Installing the Sguil SystemInstalling the Sguil Sensor To uninstall the server Installing the Sguil ClientSource the server configuration file. The default Wish Sguil Files and Directories Installation FilesFile Location Sensor Server Running the Sguil Sensor Running the Sguil System Task Script Running the Sguil Server To run the Sguil Client Running the Sguil Client Selecting the Sensor to Monitor Editing Dynamic Rules with the CLI CLI CommandsMAC Rewriting Change directories to /usr/local/pnic/0 Rewriting Destination MAC Addresses to Load Balance Command Line Interface Removing Vlan Tags Command Line Interface Rules Capacity Creating Rules FilesCompiling Rules To complile rules Compilation Option Description Positives Content matching Enter command gmake from pnic-compilerdirectory Pnic-Compiler Option Starting and Stopping the pnic-Compiler Summary of configuration File Description Location Configuration and Generated FilesConfiguration and Generated Files Firmware Filenames Compiler ErrorsDescribes each of the elements in this format Firmware Filename Description Snort Rule Syntax Snort Rule SyntaxSnort Rule Headers Protocol Ports Series Supported Snort Keywords Series Rule SyntaxSnort Rule Options Keyword Static Dynamic Yes Yes, no ranges Seq YesYes Only /8/16/24/32 masks Stateful Matching Writing Stateful Rules Pre-match Condition the S Value Stateful Rule Examples Handling Segmentation Evasion Support for Snorts flow Keyword Support for Snorts within Keyword Anomalous TCP Flags Writing Rules Deploying the P-Series as a Firewall Chapter Firewall Firewall Enabling the Firewall Writing Rules for a Firewall Deployment Allowing Traffic through the Firewall Sample Firewall Rules Appendix a Command Line Reference Appendix a Pnic aggregate-mode-disablePnic aggregate-mode-disable number Pnic aggregate-mode-enable number Pnic aggregate-mode-enableDifferent ports. This is the default behavior Pnic apply-firmware Display the available firmware Pnic apply-firmware Command Example Pnic capture-on Pnic capture-offPnic capture-off Syntax pnic capture-on Pnic cardstatus Display the configuration parameters of the systemPnic cardstatus number Display the driver version Pnic default-drop-disable number Pnic default-drop-disablePnic compilerules Pnic compilerules number Enable firewall functionality Pnic default-drop-enableRun diagnostic tests on the card Pnic diag Example pnic diag Command Example Pnic diag Command Example Pnic flow-teardown-enable Pnic flow-teardown-disablePnic flow-teardown-disable Pnic flow-teardown-enable Pnic getmachashindex number Example pnic flow-teardown-enable Command ExamplePnic getmachashindex Syntax pnic gui Pnic guiLaunch the graphical user interface Pnic gui Command Example Pnic help Pnic help Pnic linkup Pnic linkdown Pnic loadconf number Pnic loadconf Address Corresponding Parameter Pnic loadconf Address Mapping Pnic loadparams deprecated Pnic loadepromsLoad the PCI-X and front-end EEPROMs Pnic loadeproms number Loadparams Address Mapping Pnic loadparams Command Example Pnic loadrules channel Pnic loadrules Enable MAC rewriting using the command pnic macrewrite-on Disable MAC rewriting. This is the default behaviorDisable MAC rewriting using the command pnic macrewrite-off Pnic macrewrite-off 100 Appendix a Pnic off deprecatedSyntax pnic off Enable the capturing of packets via direct memory access Example pnic off Command ExamplePnic on deprecated Pnic on Syntax pnic passive-mode-disable number Pnic passive-mode-disablePnic params Pnic params number Configure the ports to only receive traffic Pnic passive-mode-enableExample pnic passive-mode-disable Command Example Configure the ports to only receive traffic Pnic resetconf number Pnic resetconfPnic restart Stop capturing and matching Pnic sguil-sensor-start Series Installation and Operation Guide, version 105Start the Sguil sensor Pnic restart Pnic sguil-sensor-start -f Pnic sguil-sensor-stop Series Installation and Operation Guide, version 107Stop the Sguil sensor Pnic sguil-sensor-stop -f Pnic showconf Display configuration parameters of the cardPnic show-firmwares List the available firmware images Pnic showtech Series Installation and Operation Guide, version 109Apply a specific firmware to the card Pnic showtech number filename.dat Example pnic showtech Command Example Disable the network interface using the command pnic stopPnic start Pnic start number Enable the network interface using the command pnic start Turn off capture and disable the network interfaceDisable the network interface Pnic stop Pnic temp-mem-enable Pnic temp-mem-disableDisable temporary memory Enable temporary memory. This is the default behavior Disable temporary memory Pnic updatemacvaluePnic updatemacvalue number Specifies an LSB value for a particular hash index Pnic vlan-remove-enable Pnic vlan-remove-disableDisable the Vlan Tag Remove feature Vlan Tag Remove feature is disabled by default Pnic version Disable the web server using the command pnic web-gui-stopPnic web-gui-start Display the driver version Stop the web server Pnic web-gui-stopStop the web server Pnic web-gui-stop -f Start the web server Series Installation and Operation Guide, version 117 118 Appendix a Keyword Description Rule Syntax Description of P-Series Snort KeywordsAck Checks for a specific TCP acknowledgment number Flags!*+ FSRPAU120 Icmp idnumber Flow establishedstatelessIcmp seq number Ipproto ! name number Ttl This keyword checks for the specified IP time-to-live Uricontent ! datastring 122 Appendix B Evasion Rules Meta Rules for Channel 0 and ChannelMeta Rules 124 Appendix C Logout Unix CommandsPasswd Pwd ? text Vi CommandsSet number no Number Flow Dynamic RulesGarbage Collection Span Port SnortState Static Rules Series Installation and Operation Guide, version 129 Accessing iSupport ServicesManual Pages ISupport Website Locating P-Series Serial Numbers Contacting the Technical Assistance Center To request replacement hardware, follow these steps Requesting a Hardware Replacement 132 Technical Support