Force10 Networks 100-00055-01 manual #permit let through and do not log to the host

Table 25 Sample Firewall Rules

#permit: let through and do not log to the host

#alert: let through and log to the host

#deny: DO NOT let through and do not log to the host

#divert: DO NOT let through and log to the host

#S:<precondition>; C:<postcondition> R:<logging>

#A packet is matched if precondition matches the current state of that flow;

#in that case the postcondition is ORed and applied to rewrite the state of that flow;

#A precondition of 1 starts a new flow

#logging should be set to 2 for most cases; see the user manual for R:1

#Topology assumption

#c0 : Unsecured EXTERNAL network

#c1 : Secured INTERNAL network

#specify here your inside networks #var INTERNAL 192.168.50.0/24 var INTERNAL any

var EXTERNAL any

#specify here your outside DNS servers #var DNS [10.11.0.1, 10.11.0.2]

var DNS any

var DNSPORT 53

#specify here the services provided from the inside network #var ALLOWEDPORTS [21,22,25]

var ALLOWEDPORTS 22

#allow INTERNAL network to poke a hole through the firewall for TCP services

permit on c1 tcp $INTERNAL any -> $EXTERNAL any (msg:"Z SYN"; flags:S; S:1; R:2; C:3;) permit on c0 tcp $EXTERNAL any -> $INTERNAL any (msg:"Z SYNACK"; flags:SA; S:2; R:2; C:4;)

#allow EXTERNAL network to poke a hole through the firewall if accessing any of the ALLOWEDPORTS permit on c0 tcp $EXTERNAL any -> $INTERNAL $ALLOWEDPORTS (msg:"Z SYN"; flags:S; S:1; R:2; C:3;) permit on c1 tcp $INTERNAL $ALLOWEDPORTS -> $EXTERNAL any (msg:"Z SYNACK"; flags:SA; S:2; R:2; C:4;)

#allow TCP packets on the established flow/hole (INTERNAL <--> EXTERNAL) permit on all tcp any any -> any any (msg:"Z TCP flow allowed"; S:4; R:2; C:4;)

#allow INTERNAL network to poke a hole through the firewall for DNS queries

permit on c1 udp $INTERNAL any -> $DNS $DNSPORT (msg:"DNS query"; S:1; R:2; C:9;) permit on c0 udp $DNS $DNSPORT -> $INTERNAL any (msg:"DNS reply"; S:8; R:2; C:16;)

#allow UDP packets for the established UDP flow/holes (INTERNAL <--> DNS) permit on all udp any any -> any any (msg:"Z UDP flow allowed"; S:16; R:2; C:16;)

#bad stuff; do not let though and do not log

deny on all tcp any any -> any any (msg:"Z SAPU TCP Flags"; flags:SAPU;) deny on all tcp any any -> any any (msg:"Z FU TCP Flags"; flags:FU;) deny on all tcp any any -> any any (msg:"Z PF TCP Flags"; flags:PF;) deny on all tcp any any -> any any (msg:"Z UP TCP Flags"; flags:UP;) deny on all tcp any any -> any any (msg:"Z Zero TCP Flags"; flags:0;)