Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Overview

Firewall functionality analyzes and filters IP packets between network interfaces. The most common application of functionality is to protect traffic between an internal network and the Internet. It allows you to filter packets based on their characteristics and perform actions on packets that match the rule. The Brocade vRouter firewall functionality provides the following features:

  • Packet filtering for traffic that traverses the router by using the in and out keywords on an interface

  • Definable criteria for packet-matching rules, including source IP address, destination IP address, source port, destination port, IP protocol, and Internet Control Message Protocol (ICMP) type

  • Ability to set the firewall globally for stateful or stateless operation

The vRouter firewall offers both IPv4 and IPv6 stateful packet inspection to intercept and inspect network activity and to allow or deny the attempt.

Firewall cannot be applied to outbound local traffic. It can only be applied to inbound interface traffic and forwarded outbound traffic.

Firewall and fragmented packets

An input firewall causes fragments to be reassembled. For both IPv4 and IPv6, if the packets arrive on an interface for which firewall is configured, the fragments are reassembled at the input before passing to the firewall. If all the fragments of a packet are not received, then the packet is dropped. The reassembled packet passes through the remainder of the forwarding path and firewall does not recognize fragments at either input or output. Passing through an output firewall (or DNAT/SNAT) also results in fragment reassembly before processing by the firewall or NAT rules.

Defining firewall instances

Firewalls filter packets on interfaces. Use of the firewall feature has two steps:

  1. Define a firewall instance and save it under a name. A firewall instance is also called a firewall ruleset, where a rule set is just a series of firewall rules. You define the firewall instance and configure the rules in its rule set in the firewall configuration node.

  2. Apply the instance to an interface by configuring the interface configuration node for the interface. After the instance is applied to the interface, the rules in the instance begin filtering packets on that location.

Firewall rules

Firewall rules specify the match conditions for traffic and the action to be taken if the match conditions are satisfied. Traffic can be matched on a number of characteristics, including source IP address, destination IP address, source port, destination port, IP protocol, and ICMP type.

Rules are executed in numeric sequence, according to the rule number, from lowest to highest. If the traffic matches the characteristics specified by a rule, the action of the rule is executed; if not, the system “falls through” to the next rule.

You can configure rules to match IPv4 ICMP, IPv6 ICMP, IPv6 routing header, or TCP without specifying the respective protocol, provided that a protocol-specific match option is present. For example TCP flags, ICMP type.

The action can be one of the following:

  • Accept Traffic is allowed and forwarded.

  • Drop Traffic is silently discarded.

To avoid having to renumber firewall rules, a good practice is to number rules in increments of 10. This increment allows room for the insertion of new rules within the ruleset.

Implicit action

When one or more named firewall rules (including the hidden rule used for default-action or default-log) are applied to an interface and a packet does not match any of the rules in a given direction, then the implicit actions occur. The implicit actions are a property of firewall rules having been applied to an interface, not a property of the rules as such.

When rules are present in one direction, there is an implicit action of drop for that direction. If any of the rules are stateful, there is an implicit drop action in the opposite direction even if no rules are present in the opposite direction. Despite this condition, stateful rules always allow for reverse direction stateful traffic to flow.

The security firewall name <name> default-action <action> and security firewall name <name> default-log commands use an explicit rule and as such will prevent implicit actions from occurring in the direction that they are applied to. Hence it is recommended that one not make use of these two commands.

Exclusion rules

Note that you should take care in employing more than one “exclusion” rule, that is, a rule that uses the negation operator (exclamation mark [!]) to exclude a rule from treatment. Rules are evaluated sequentially, and a sequence of exclusion rules could result in unexpected behaviour.

Stateful firewall and connection tracking

On the firewall, connection tracking allows for stateful packet inspection.

Stateless firewalls filter packets in isolation based on static source and destination information. In contrast, stateful firewalls track the state of network connections and traffic flows and allow or restrict traffic based on whether its connection state is known and authorized. For example, when an initiation flow is allowed in one direction, the responder flow is automatically and implicitly allowed in the return direction. While typically slower under heavy load than stateless firewalls, stateful firewalls are better at blocking unauthorized communication.

By default, the vRouter firewall is stateless. If you want the firewall to operate stateless in general, you can configure state rules within a specific ruleset. Alternatively, you can configure the firewall globally to operate statefully. For more information, refer to security firewall global-state-policy <protocol>.

For all protocols, the following are tracked for each session: interface, protocol, source address, and destination address. For ICMP, the ICMP identifier is also included. For TCP/UDP/UDP-Lite/DCCP/SCTP, the source and destination ports are also included.

TCP strict tracking

Applying firewall instances to interfaces

Interaction between fireall, NAT and routing

Control plane policing

Firewall denial of service protection

Maximum half-open sessions

Session rate limiting

DoS protection configuration considerations

Session and packet logging

Configuration examples

List of configuration examples based on protocol and port numbers

Block SSH -

name blk-ssh {
rule 11 {
action drop
destination {
port 22
}
protocol tcp
}
}

Block HTTP/HTTPs -

name blk-http {
rule 16 {
action drop
destination {
port 80
}
protocol tcp
}
}
name blk-https {
rule 17 {
action drop
destination {
port 443
}
protocol tcp
}
}

Validation -

Post applying to interface -

sudo nc -vz -w 1 67.1.1.1 22
67-1-1-1.tcso.qwest.net [67.1.1.1] 22 (ssh) : Connection timed out

Before FW rule apply -

vyatta@danos-vnf1:~$ sudo nc -vz -w 1 67.1.1.1 22
67-1-1-1.tcso.qwest.net [67.1.1.1] 22 (ssh) open
vyatta@danos-vnf1:~$

  • No labels