IP Firewall Configuration Guide - Hewlett...

Configuration Guide5991-2119April 2005

61195880L1-29.1B Printed in the USA 1

IP Firewall

Packet Filtering using Access Control Policies and Lists

This Configuration Guide is designed to provide you with a basic understanding of the concepts behind configuring your ProCurve Secure Router Operating System (SROS) product for IP firewall protection. For detailed information regarding specific command syntax, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD.

This guide consists of the following sections:• Understanding IP Firewall Protection on page 2• Configuring Your Secure Router on page 8• Verifying Your Configuration Using Show Commands on page 17• Managing Event Messages on page 19

Understanding IP Firewall Protection IP Firewall Configuration Guide

2 5991-2119

Understanding IP Firewall Protection

Use the ip firewall command to enable SROS security features including access control policies (ACPs) and access control lists (ACLs), network address translation (NAT), and the stateful inspection firewall. Use the no form of this command to disable the security functionality.

Refer to the following sections for more information on the functionality enabled by this command:• Firewall processing for all interfaces (refer to Firewall Processing on page 2)• Network address translation (NAT) capabilities (refer to NAT on page 4)• Stateful inspection firewall (refer to Stateful Policies versus Stateless Policies on page 5)• Network traffic management when used in conjunction with ACLs and ACPs (refer to ACLs and ACPs

on page 6)

Firewall Processing

Firewall processing protects the network by blocking attacks, filtering sessions from unrecognized origins, and monitoring session activity. The sections which follow describe this functionality in more detail.

Attack ProtectionDetects and discards traffic that matches profiles of known networking exploits or attacks. Use the ip firewall command to enable firewall attack protection. The SROS blocks traffic (matching patterns of known networking exploits) from traveling through the device. Some of these attacks may be manually disabled, while other attack checks are always on any time the firewall is enabled.

Table 1 on page 3 outlines the types of traffic discarded by the firewall. Many attacks use similar invalid traffic patterns; therefore, attacks other than the examples listed in the table may also be blocked by the firewall.

IP Firewall Configuration Guide Understanding IP Firewall Protection

5991-2119 3

Table 1. Traffic Blocked by Firewall Attack Protection Engine

Invalid Traffic Pattern SROS Firewall Response Common Attacks

Larger than allowed packets

Any packets that are longer than those defined by standards will be dropped.

Ping of Death

Fragmented IP packets that produce errors when attempting to reassemble

The firewall intercepts all fragments for an IP packet and attempts to reassemble them before forwarding to destination. If any problems or errors are found during reassembly, the fragments are dropped.

SynDrop, TearDrop, OpenTear, Nestea, Targa, Newtear, Bonk, Boink

Smurf Attack The firewall drops any ping responses that are not part of an active session.

Smurf Attack

IP Spoofing The firewall drops any packets with a source IP address that appears to be spoofed. The IP route table is used to determine if a path to the source address is known (out of the interface from which the packet was received). For example, if a packet with a source IP address of 10.10.10.1 is received on interface fr 1.16 and no route to 10.10.10.1 (through interface fr 1.16) exists in the route table, the packet is dropped.

IP Spoofing

ICMP Control Message Floods and Attacks

The following types of ICMP packets are allowed through the firewall: echo, echo-reply, TTL expired, dest unreachable, and quench. These ICMP messages are only allowed if they appear to be in response to a valid session. All others are discarded.

Twinge

Attacks that send TCP URG packets

Any TCP packets that have the URG flag set are discarded by the firewall.

Winnuke, TCP XMAS Scan

Falsified IP Header Attacks

The firewall verifies that the packet’s actual length matches the length indicated in the IP header. If it does not, the packet is dropped.

Jolt/Jolt2

Echo All UDP echo packets are discarded by the firewall. Char Gen

Land Attack Any packets with the same source and destination IP addresses are discarded.

Land Attack

Broadcast Source IP Packets with a broadcast source IP address are discarded.

Invalid TCP Initiation Requests

TCP SYN packets that have ack, urg rst, or fin flags set are discarded.

Invalid TCP Segment Number

The sequence numbers for every active TCP session are maintained in the firewall session database. If the firewall received a segment with an unexpected (or invalid) sequence number, the packet is dropped.

IP Source Route Option All IP packets containing the IP source route option are dropped.


4 5991-2119

Session Initiation ControlSession initiation controls allow only sessions that match traffic patterns permitted by ACPs to be initiated through the router.

Ongoing Session Monitoring and ProcessingThe SROS continues monitoring session activity as described below:• Each session that has been allowed through the router is monitored for any irregularities that match

patterns of known attacks or exploits. Offending traffic is dropped. • If NAT is configured, the firewall modifies all traffic associated with the session according to the

translation rules defined in NAT ACPs. • If sessions are inactive for a user-specified amount of time, the session is closed by the firewall.

Application-Specific ProcessingCertain applications need special handling to work correctly in the presence of a firewall. SROS uses Application-level Gateways (ALGs) for these applications. ALGs are aware of protocols not easily integrated with NAT or firewalls that create associations which allow these protocols to work transparently.

For example, the FTP ALG will not only create the associations to allow the control session (using TCP Port 21) to pass data, but will also create associations to allow the server-initiated data sessions to work (using TCP Port 20). This allows FTP clients to pass through the SROS firewall and ACPs without using passive mode. The SROS firewall includes ALGs for handling the following applications and protocols:• AOL Instant Messenger• VPN ALGS: ESP and IKE• FTP• H.323: H.245, Q.931, ASN1 PER decoding and encoding• ICQ• IRC• Microsoft Games• Net2Phone• PPTP• Quake• Real-Time Streaming Protocol• SMTP• HTTP

NAT

Network Address Translation (NAT) is an Internet Engineering Task Force (IETF) standard method of preserving Internet address space. Additionally, it can be used to hide the structure of server farms behind a router in order to provide bandwidth sharing to Web, FTP, and application servers. Details on NAT configuration are beyond the scope of this document. For more information, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD. This document is also available on the ProCurve Networking Web site(www.procurve.com).


5991-2119 5

Stateful Policies versus Stateless Policies

The SROS unit acts as an ALG and employs a stateful inspection firewall that protects an organization's network from common cyber attacks including TCP SYN-flooding, IP spoofing, ICMP redirect, land attacks, ping-of-death, and IP reassembly problems.

It is important to point out the differences between the operation of SROS stateful policies and stateless filters. For example, consider an application where a host located behind a firewall device initiates an outbound session to a server on the Internet. If the firewall is configured to use stateless filters, two or more filters must be defined to do the following: • Allow the outbound traffic from the host to the Internet• Allow inbound traffic (responses from the initiated session)

Typically, the inbound filter list needs to reject sessions initiated from the Internet, while allowing other responses to sessions initiated from the private network. Because the filter lists have no knowledge of the state of the session (sequence numbers, inactivity time, etc.), there is a possibility that an attacker will be able to “fool” the configured filter lists and direct malicious traffic through the firewall.

With stateful policies, however, a single policy is configured that permits the traffic from the host to be initiated to the Internet. The SROS stateful inspection firewall creates an association for this session and stores it in an internal database. When the server on the Internet sends a response back to the host, the SROS stateful inspection firewall recognizes that this traffic is associated with an allowed session and permits the traffic. Since the firewall has detailed knowledge about the current state of every session flowing through the device, it is much more difficult for an attacker to generate traffic that is not blocked by the firewall.

Session filtering based on inactivity may sometimes occur sooner than is desirable. Use the ip policy-timeout command to customize timeout intervals for protocols (TCP, UDP, ICMP) or specific services (by listing the particular port number). The default timeout for TCP protocols is 600 seconds, UDP protocols is 60 seconds, and ICMP is 60 seconds.

The following example creates customized policy timeouts for the following:• WWW (Internet traffic using TCP Port 80): timeout 24 hours (86,400 seconds)• Telnet (TCP Port 23): timeout 20 minutes (1200 seconds)• FTP (21): timeout 5 minutes (300 seconds)• All other TCP services: timeout 8 minutes (480 seconds)

(config)# ip policy-timeout tcp www 86400 (config)# ip policy-timeout tcp telnet 1200 (config)# ip policy-timeout tcp ftp 300 (config)# ip policy-timeout tcp all_ports 480


6 5991-2119

ACLs and ACPs

ACLs and ACPs regulate traffic through the routed network. When designing your traffic flow configuration, it is important to keep the following in mind:• An ACL is inactive until it is assigned to an active ACP.• An ACP is inactive until it is assigned to an interface.

Figure 1 illustrates the steps necessary for activating ACLs and ACPs.

Figure 1. Activating ACLs and ACPs

Access Control Lists (ACLs) ACLs are used as packet selectors by ACPs. They must be assigned to an ACP in order to be active. ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and a packet pattern. A permit ACL is used to permit packets (meeting the specified pattern) to enter the router system. A deny ACL advances the SROS to the next ACP entry. The SROS provides two types of ACLs: standard and extended. Standard ACLs allow source IP address packet patterns only. Extended ACLs may specify patterns using most fields in the IP header and the TCP or UDP header.

Access Control Policies (ACPs)ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each ACP consists of a selector (i.e., an ACL) and an action (allow, discard, NAT). When packets are received on an interface, the configured ACPs are applied to determine whether the data is processed or discarded.

Both ACLs and ACPs are order-dependent. When a packet is evaluated, the matching engine begins with the first entry in the list and progresses through the entries until it finds a match. The first entry that matches is executed. They both have an implicit deny at the end of the list. Typically, the most specific entries should be at the top and the most general at the bottom.

ACLCreate an ACL and define permissions:(config)#ip access-list standard MATCHALL(config-std-nacl)#permit any

Create an ACP and assign the ACL to it:(config)#ip policy-class TRUSTED(config-policy-class)#allow list MATCHALL

Assign the ACP to an interface:(config)#interface eth 0/1(config-eth 0/1)#access-policy TRUSTED

ACP

Interface


5991-2119 7

Packet Flow

The Packet Flow section describes how packets are processed in several possible scenarios of ACP configuration.

Scenario 1 Packets traveling from an interface with an assigned ACP to any other interfaceACPs are applied when packets are received on an interface. If an interface has no assigned ACP, the interface allows all received traffic to pass through by default. If an interface has an assigned ACP, but the firewall has not been enabled with the ip firewall command, traffic flows normally from this interface with no ACP processing.

Scenario 2 Packets traveling in and out of a single interface with an assigned ACPThese packets are processed through the ACPs as if they are destined for another interface (identical to Scenario 1). Again, note that the ip firewall command must be enabled for ACP processing to take place.

Scenario 3 Packets traveling from an interface without an assigned ACP to an interface with an assigned ACPThese packets are routed normally and are not processed by the ACP.

Scenario 4 Packets traveling from an interface without an assigned ACP to another interface without an assigned ACPThis traffic is routed normally. The ip firewall command has no effect on this traffic other than to prevent attacks entering the interface.

Interface Association List Access Control Polices(permit, deny, NAT) Route Lookup Packet OutPacket In

If session hit,or no ACP configured

Configuring Your Secure Router IP Firewall Configuration Guide

8 5991-2119

Configuring Your Secure Router

The remainder of this document provides examples designed to clarify the use of access policies. The following section, Creating and Assigning ACLs and ACPs on page 8, gives an overview of the four basic steps necessary when creating ACLs and ACPs.

Creating and Assigning ACLs and ACPs

Creating ACLs and ACPs to regulate traffic through the routed network requires four steps:

Step 1Enable the security features of the SROS using the ip firewall command.

Step 2Create an ACL (using the ip access-list command) and configure it to permit or deny specified traffic. Standard ACLs provide pattern matching for source IP addresses only. (Use extended ACLs for more flexible pattern matching.) IP addresses can be expressed in one of three ways:• Using the keyword any to match any IP address. • Using the host <A.B.C.D> to specify a single host address. For example, entering

permit host 196.173.22.253 allows all traffic from the host with an IP address of 196.173.22.253.• Using the <A.B.C.D> <wildcard> format to match all IP addresses in a range. Wildcard masks

work in reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t care.” For example, entering permit 192.168.0.0 0.0.0.255 permits all traffic from the 192.168.0.0/24 network.

Step 3Create an ACP using the ip policy-class command. Possible actions performed by the ACP are as follows:• allow list <ACL names>

All packets passed by the ACL(s) entered are allowed to enter the router system.• discard list <ACL names>

All packets passed by the ACL(s) entered are dropped from the router system.• allow list <ACL names> policy <ACP name>

All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are permitted to enter the router system. This allows for configurations to permit packets to a single interface and not the entire system.

• discard list <ACL names> policy <ACP name> All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are blocked from the router system. This allows for configurations to deny packets on a specified interface.

• nat source list <ACL names> address <IP address> overload All packets passed by the ACL(s) entered are modified to replace the source IP address with the entered IP address. The overload keyword allows multiple source IP addresses to be replaced with the single IP address entered. This hides private IP addresses from outside the local network.

Warning Before applying an ACP to an interface, verify your Telnet connection will not be affected by the policy. If a policy is applied to the interface you are connecting through and it does not allow Telnet traffic, your connection will be lost.

IP Firewall Configuration Guide Configuring Your Secure Router

5991-2119 9

• nat source list <ACL names> interface <interface> overload All packets passed by the ACL(s) entered are modified to replace the source IP address with the primary IP address of the listed interface. The overload keyword allows multiple source IP addresses to be replaced with the single IP address of the specified interface. This hides private IP addresses from outside the local network.

• nat destination list <ACL names> address <IP address> All packets passed by the ACL(s) entered are modified to replace the destination IP address with the entered IP address. The overload keyword is not an option when performing NAT on the destination IP address. Each private address must have a unique public address. This hides private IP addresses from outside the local network.

Step 4Apply the ACP to an interface. To do this, enter access-policy <policy name> while in the desired interface’s configuration mode. The following example assigns access policy MATCHALL to the Ethernet 0/1 interface: (config)# interface ethernet 0/1 (config-eth 0/1)# access-policy MATCHALL

Configuration Examples

To illustrate these basic steps, the following configurations are given in detail as examples:• Outbound Internet Access on page 10

– Step-by-Step Configuration: Outbound Internet Access on page 10– Sample Script on page 11

• Inbound Internet Access on page 12– Step-by-Step Configuration: Inbound Internet Access on page 12– Sample Script on page 13

• Network Address Translation (NAT) on the WAN Interface on page 14– Step-by-Step Configuration: NAT on the WAN Interface on page 14– Sample Script on page 16

The first example demonstrates the router configuration for a simple network that allows the LAN to get to the Internet, but blocks unwanted traffic from the Internet. The second example shows how to modify the same configuration to allow traffic to a web server from the Internet. The third example explains how to further modify the configuration to perform NAT from the Internet.

Configuration steps for each example are provided in the tables which follow the configuration descriptions. You can follow the given steps by entering the command text shown in bold (modifying as needed for your application).

Note Please note that these examples are given for your study and consideration only. They are to help you reach a better understanding of the fundamental concepts before configuring your own application. It will be necessary for you to modify these examples to match your own network’s configuration.

Use the sample scripts in this section as a shortcut to configuring your unit. Use the text tool in Adobe Acrobat to select and copy the scripts, paste them into any text editing program, modify as needed, and then paste them directly into your SROS command line.


10 5991-2119

Example 1: Outbound Internet Access

This is a simple network configuration using public IP addresses on the LAN. This configuration allows the LAN traffic to reach the Internet, but does not allow traffic from the Internet to reach the LAN (unless it matches the outbound sessions already created).

Table 2. Step-by-Step Configuration: Outbound Internet Access

Step Action Command

1 Enter Enable Security mode. >enable

2 Enter Global Configuration mode. #configure terminal

3 Enable IP firewall functionality. (config)#ip firewall

4 Create the ACL MATCHALL and enter the standard ACL command set.

(config)#ip access-list standard MATCHALL

5 Configure this ACL to permit all packets.

(config-std-nacl)#permit any

6 Exit to Global Configuration mode. (config-std-nacl)#exit

7 Add a default route to the route table.

(config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1

8 Create the ACP TRUSTED and enter its access control policycommand set.

(config)#ip policy-class TRUSTED

9 Configure this ACP to allow any traffic that matches the ACL MATCHALL to enter the router system.

(config-policy-class)#allow list MATCHALL

10 Exit to Global Configuration mode. (config-policy-class)#exit

11 Create the ACP UNTRUSTED and enter its access control policy command set.

(config)#ip policy-class UNTRUSTED

12 Configure this ACP to discard any traffic that matches the ACL MATCHALL.

(config-policy-class)#discard list MATCHALL


14 Access configuration parameters for the Ethernet port.

(config)#interface eth 0/1

15 Assign an IP address and subnet mask to the Ethernet port.

(config-eth 0/1)#ip address 63.12.5.254 255.255.255.0


5991-2119 11

Sample Script

!ip firewallip route 0.0.0.0 0.0.0.0 63.12.1.1ip access-list standard MATCHALL permit any! - Create the Access-List “MATCHALL”.! - Permit any IP address.!ip policy-class TRUSTED allow list MATCHALL ! - Create the Policy-Class “TRUSTED”.! - For any interface using Policy-Class “TRUSTED” allow Access-List “MATCHALL”.! - Since the Policy-Class “TRUSTED” allows anything matching Access-List “MATCHALL”! - and “MATCHALL” permits “Any”, Any incoming packets will be Allowed by this ! - Policy-Class.ip policy-class UNTRUSTED discard list MATCHALL! - Create the Policy-Class “UNTRUSTED”.! - For any interface using Policy-Class “UNTRUSTED” discard Access-List “MATCHALL”.

!interface eth 0/1 ip address 63.12.5.254 255.255.255.0 access-policy TRUSTED ! - Apply the Policy-Class “TRUSTED” to the Ethernet interface.

16 Apply the ACP TRUSTED to the Ethernet port.

(config-eth 0/1)#access-policy TRUSTED

Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this ACP.

17 Exit to Global Configuration mode. (config-eth 0/1)#exit

18 Access configuration parameters for the PPP interface.

(config)#interface ppp 1

19 Assign an IP address and subnet mask to the WAN interface.

(config-ppp 1)#ip address 63.12.1.2 255.255.255.248

20 Apply the ACP UNTRUSTED to the WAN interface.

(config-ppp 1)#access-policy UNTRUSTED

Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this ACP.

21 Exit to Global Configuration mode. (config-ppp 1)#exit

Table 2. Step-by-Step Configuration: Outbound Internet Access (Continued)

Step Action Command


12 5991-2119

!interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED ! - Apply the Policy-Class “UNTRUSTED” to the WAN interface. ! - Since the Policy-Class “UNTRUSTED” discards anything matching Access-List “MATCHALL”! - and “MATCHALL” permits “Any”, Any incoming packets will be Discarded by this ! - Policy-Class.

Example 2: Inbound Internet Access

This example is a simple network configuration using public IP addresses on the LAN. This configuration allows outbound access to the Internet and inbound access to the web server. This configuration is similar to the previous example (all changes are shown in bold text in the Sample Script on page 13).

Table 3. Step-by-Step Configuration: Inbound Internet Access

Step Action Command




4 Create the ACL MATCHALL and enter the standard ACL command set.


5 Configure this ACL to permit all packets. (config-std-nacl)#permit any


7 Create the extended ACL INWEB and enter the extended access-list command set.

(config)#ip access-list extended INWEB

8 Permit any TCP traffic with a destination address of 63.12.5.253 and a destination port of 80 (HTTP).

(config-ext-nacl)#permit tcp any host 63.12.5.253 eq 80

9 Add a default route to the route table. (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1

10 Create the ACP TRUSTED and enter its access control policy command set.


11 Configure this ACP to allow any traffic that matches the ACL MATCHALL to enter the router system.

(config-policy-class)#allow list MATCHALL


13 Create the ACP UNTRUSTED and enter its access control policy command set.


14 Configure this ACP to allow any traffic that matches the ACL INWEB to enter the router system.

(config-policy-class)#allow list INWEB


5991-2119 13

Sample Script

!ip firewallip access-list standard MATCHALL permit any!ip access-list extended INWEB permit tcp any host 63.12.5.253 eq 80 ! - Create Extended Access-List “INWEB”! - Permit any TCP traffic with a destination address of 63.12.1.253 and a destination port of 80 (HTTP).!ip route 0.0.0.0 0.0.0.0 63.12.1.1!ip policy-class TRUSTED allow list MATCHALL!



Note: The ACP UNTRUSTED will now allow packets matching ACL INWEB (prior to discarding incoming packets matching the ACL MATCHALL).












22 Assign an IP address and subnet mask to the WAN interface.






Table 3. Step-by-Step Configuration: Inbound Internet Access (Continued)

Step Action Command


14 5991-2119

ip policy-class UNTRUSTED allow list INWEB discard list MATCHALL! - Allow any traffic that matches Access-List “INWEB”,! - Before discarding any traffic that matches Access-List “MATCHALL”.

!interface eth 0/1 ip address 63.12.5.254 255.255.255.0 access-policy TRUSTED!interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED

Example 3: Network Address Translation (NAT) on the WAN Interface

This example is a simple network using private IP addresses on the LAN and providing NAT on the WAN interface to the Internet. The configuration allows the LAN traffic to reach the Internet by performing NAT. Traffic from the Internet is discarded unless it matches the outbound sessions already created (or has a destination address and port that match the web server). Changes to the previous configuration are shown in bold text in the Sample Script on page 16.

Table 4. Step-by-Step Configuration: NAT on the WAN Interface

Step Action Command




4 Create the ACL MATCHALL and enter the standard access-listcommand set.


5 Permit all packets through the configured ACL.

(config-std-nacl)#permit any


7 Create the extended ACL INWEB and enter the extended access-list command set.

(config)#ip access-list extended INWEB

8 Permit any TCP traffic with a destination address of 63.12.1.3 and a destination port of 80 (HTTP).

(config-ext-nacl)#permit tcp any host 63.12.1.2 eq 80

9 Add a default route to the route table.

(config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1

10 Create the ACP TRUSTED and enter its ACP command set.



5991-2119 15

11 Enable NAT for traffic that matches the ACL MATCHALL and change the source address to 63.12.1.2.

(config-policy-class)#nat source list MATCHALL address 63.12.1.2 overload


13 Create the ACP UNTRUSTED and enter its ACP command set.


14 Enable NAT for traffic that matches the ACL INWEB and change the destination address to 192.168.0.253.

(config-policy-class)#nat destination list INWEB address 192.168.0.253














22 Assign an IP address and subnet mask to the PPP interface.






Table 4. Step-by-Step Configuration: NAT on the WAN Interface (Continued)

Step Action Command


16 5991-2119

Sample Script

!ip firewall!ip access-list extended INWEB permit tcp any host 63.12.1.3 eq 80 ! - Create Extended Access-List “INWEB”! - Allow any TCP traffic with a destination address of 63.12.1.3 with a destination port of 80 (HTTP).!ip route 0.0.0.0 0.0.0.0 63.12.1.1!ip policy-class TRUSTED nat source list MATCHALL address 63.12.1.2 overload! - Enable NAT for traffic that matches Access-List “MATCHALL” and change! - the source address 63.12.1.2ip policy-class UNTRUSTED nat destination list INWEB address 192.168.0.253 discard list MATCHALL! - Enable NAT for traffic that matches Access-List “INWEB” and change! - the destination address to 192.168.0.253.!ip access-list standard MATCHALL permit anyinterface eth 0/1 ip address 192.168.0.254 255.255.255.0 access-policy TRUSTED! - The IP address is changed to the private address scheme.!interface ppp 1 ip address 63.12.1.2 255.255.255.248 access-policy UNTRUSTED

IP Firewall Configuration Guide Verifying Your Configuration Using Show Commands

5991-2119 17

Verifying Your Configuration Using Show Commands

Use the following SROS show commands to display information regarding your configuration. Enter show commands at any prompt using the do command.

For example: (config-eth 0/1)#do show ip policy-session

Table 5. Show Commands

Command Description Sample Output

show ip access-list Displays all configured IP ACLs in the system.

Standard IP access list MATCHALL permit 192.168.1.0, wildcard bits 0.0.0.255 (31337 matches)Standard IP access list SERVER1_OUT permit host 192.168.1.100 (0 matches)Extended IP access list CORPORATE_TRAFFIC permit ip 192.168.1.0, wildcard bits 0.0.0.255 192.168.3.0, wildcard bits 0.0.0.255 (432829 matches)Extended IP access list CORPORATE_TRAFFIC_IN permit ip 192.168.3.0, wildcard bits 0.0.0.255 192.168.1.0, wildcard bits 0.0.0.255 (2194 matches)Extended IP access list REMOTE_USER_TRAFFIC permit ip 192.168.1.0, wildcard bits 0.0.0.255 10.10.10.0, wildcard bits 0.0.0.255 (178 matches)Extended IP access list REMOTE_USER_TRAFFIC_IN permit ip 10.10.10.0, wildcard bits 0.0.0.255 192.168.1.0, wildcard bits 0.0.0.255 (11 matches)

show ip policy-class Displays a list of currently configured ACPs.

ip policy-class max-sessions 30000Policy-class “TRUSTED”: 1 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC Entry 2 - allow list REMOTE_USER_TRAFFIC Entry 3 - nat source list SERVER1_OUT address 141.158.13.58 overload Entry 4 - nat source list MATCHALL address 141.158.13.62 overload

Policy-class “UNTRUSTED”: 2 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC_IN Entry 2 - allow list REMOTE_USER_TRAFFIC_IN

Verifying Your Configuration Using Show Commands IP Firewall Configuration Guide

18 5991-2119

show ip policy-session Displays a list of current ACP associations.

Protocol (TTL) Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port----------------- --------Policy class “TRUSTED”:tcp (523) 192.168.1.70 3790 152.155.209.24 80s 141.160.13.62 29008 Policy class “UNTRUSTED”:tcp (600) 208.25.151.99 1141 141.158.56.142 23 Policy class “self”:Policy class “default”:

show ip policy-stats Displays a list of current ACP statistics.

Global 3 current sessions (30000 max)Policy-class “TRUSTED”: 1 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC 10211717 in bytes, 1184 out bytes, 1140 hits Entry 2 - allow list REMOTE_USER_TRAFFIC 0 in bytes, 0 out bytes, 0 hits Entry 3 - nat source list SERVER1_OUT address 141.158.56.58 overload 0 in bytes, 0 out bytes, 0 hits Entry 4 - nat source list MATCHALL address 141.158.56.62 overload 66422200 in bytes, 230583087 out bytes, 31332 hitsPolicy-class “UNTRUSTED”: 2 current sessions (10000 max) Entry 1 - allow list CORPORATE_TRAFFIC_IN 1306324 in bytes, 139295 out bytes, 2194 hits Entry 2 - allow list REMOTE_USER_TRAFFIC_IN 1051 in bytes, 128 out bytes, 11 hits

Table 5. Show Commands (Continued)

Command Description Sample Output

IP Firewall Configuration Guide Managing Event Messages

5991-2119 19

Managing Event Messages

The SROS provides multiple levels of event messages. You can manage these messages in several ways, based on their assigned priority level. The levels are listed below, from least to most critical.

There are two management options for the event messages displayed on the console. The default behavior is to display levels 0 to 3 (i.e., Notice, Warning, Error, and Fatal messages). To display all levels, turn debug on (using the debug firewall command). If you turn debug off (no debug firewall), you fall back to displaying levels 0 to 3 (i.e., everything but Information and Debug).

There are additional management options available for event history storage, email notification, and syslog forwarding. If the event history storage is enabled (using the event-history on command), by default the SROS logs all messages with priority levels 0 through 3 (i.e. Notice, Warning, Error, and Fatal messages). You can use the following commands to change the default behavior and set an explicit priority level for the following options:• event-history priority <priority level#>: Sets the threshold for events stored in the event history. The

event log is displayed using the show event-history command. • logging email priority-level <priority level#>: Sets the threshold for events sent to the configured

email addresses (specified using the logging email address-list command). • logging forwarding priority-level <priority level#>: Sets the threshold for events sent to the

configured syslog server (specified using the logging forwarding receiver-ip command).

When setting the <priority level#>, keep the following in mind:• When priority 4 is selected, all events (priorities 0 through 4) are logged.• When priority 3 is selected, events with priority 3, 2, 1, or 0 are logged.• When priority 2 is selected, events with priority 2, 1, or 0 are logged.• When priority 1 is selected, events with priority 1 or 0 are logged. • When priority 0 is selected, only events with priority 0 are logged.

Table 6 on page 20 provides a list of event messages related to the firewall (along with the designated priority levels).

Priority Level Number Priority Level

5 Debug

4 Information

3 Notice

2 Warning

1 Error

0 Fatal

Managing Event Messages IP Firewall Configuration Guide

20 5991-2119

Table 6. Firewall Events

Event Message Priority Level

Modified Ack: <#> *Generated with changes to an incoming ACK.

Debug

Attempt to login with a wrong name <username> from <ip address> Debug

Attempt to login through browser by <username> from <ip address> Debug

Invalid password supplied by <username> from <ip address> Debug

Attempt to login through Site Authentication by <username> Debug

Unable to allocate memory for RTSP Control Connection Debug

No memory for RTSP control connection Debug

No Empty record to store new data Debug

Nat Port not available Debug

Unexpected End of packet Debug

Client Port and NatPort do not match Debug

Unable to create new connection Debug

IGWbuf allocation failed*Generated when buffer allocation fails.

Debug

Memory not allocated for RTSP data connection Debug

NatPort and Client ports do not match Debug

Unable to allocate memory for RTSP Data connection Debug

Error in creating new connection Debug

Attacks: SynAck: No memory buffers Debug

Attacks: SynAck: Header formation error Debug

ADCreateAssoc: This should not happen*Generated with an invalid user name on a dynamic NAT address.

Error

ADCreateAssoc: Failure in getting IpAddress from Dim Error

UDB found bad user name while retrieving from DBM Error

UDB failed in allocating memory while loading Error

UDB failed in allocating memory for New User Error

<username> is an invalid user Error

Invalid password, auth failed for user <username> Error

Authentication failed for user <username> Error

UDB got an authentication req for user name: <username> Error

Auth successful for <username> :: priv: <privilege level> Incat tmr: <#> Error


5991-2119 21

IGWIpYankHdr : Count in IGWbuf < IGW_IPLEN*Generated when the unit receives packets with an invalid IP header length.

Error

IpYankHdr : IGWbuf too small to yank IP hdr*Generated when the unit receives packets with an invalid IP header length.

Error

IGWIpYankHdr : Checksum returned error*Generated with an invalid checksum.

Error

IpYankHdr : Length in IP datagram < IP hdr len Error

\nISStatsInit: Failed to set current time Error

Attacks: SendAck: Unable to form IpHdr Error

Crossed 80%% of resource. Possible flooding (TCP) Error

Original Src %s Dst %s TCP Src:%lu Dst:%lu, dropping packet*Generated when logging ICMP messages.

Error

Original Src %s Dst %s UDP Src:%ld Dst:%ld, dropping packet*Generated when logging ICMP messages.

Error

Original Src %s Dst %s ICMP Type:%d, dropping packet*Generated when logging ICMP messages.

Error

ICMP error message contains less data than expected (possible attack), dropping packet

Error

Dropping ICMP packet of type %d Error

Packet with unsupported IP Protocol received, dropping packet Error

Possible Land Attack detected, dropping packet Error

Unable to find route for source, dropping packet Error

Spoofing detected, dropping packet Error

Source IP is a broadcast address, dropping packet Error

Unable to determine route to destination, dropping packet Error

TCP connection request received is invalid, dropping packet Error

Invalid ack value received for connection, dropping packet Error

UDP echo response received for uninitiated echo request (possible smurf attack), dropping packet

Error

Echo response for uninitiated echo request (possible smurf attack), dropping packet Error

Packet with unsupported IP Protocol received, dropping packet Error

General attack detected, dropping packet Error

Terminating connection as WinNuke Attack detected, OOB packet Error

Invalid sequence number received with Reset, dropping packet Error

Zero bytes transferred for connection Error

Data connection not established from remote Error

Table 6. Firewall Events (Continued)



22 5991-2119

Attempt to login with a wrong name %s from %s Error

Attempt to login through browser by %s from %s Error

Invalid password supplied by %s from %s Error

User %s logged in from %s Error

Attempt to login through Site Authentication by %s Error

Ping of Death attack found Error

Length in IP Header > Data length. Possible JOLT attack Error

Reassembly is currently disabled Error

IpReassembly Fragment count exceeds max limit Error

IpReassembly Datagram size exceeds max limit Error

IpReassembly time out Error

IP Spoofing check bypassed for RIP packet Information

Packet out of order Information

Dropping out of order packet Information

Incoming NatIp <ip address> Information

GetPortMap failed. Exiting function. Information

date =%s*Generated when showing last login data.

Information

time = %S*Generated when showing last login data.

Information

UDBVerifyUser:Authenticating user from user data base Information

Attacks: SendAck: IpHdr formed successfully Information

Attacks: SendAck: Source = %lx Destination = %lx Cnt = %d Information

IGWBuf in Firewall is %x*Generated when showing firewall buffer.

Information

Deny Access Policy matched, dropping packet Information

Bytes transferred for connection: %lu Information

Unable to allocate memory for NAT portmap (%lx->%lx) Notice

Attempt to de-register port map for unavailable NIP %lx-%lx Notice

Something went wrong in function ADLDelNatPort*Generated when listen port is null.

Notice

Unable to get PortMap for NAT %lx Port %d Notice

ADAlgRegisterNatPorts:Invalid Range StartPort %ld EndPort %ld Notice

ADAlgRegisterNatPorts:Trying to register twice. AlgId %d Protocol %d Notice




5991-2119 23

ADAlgRegisterNatPorts:Some ports in the specified Range already Registered AlgId %d Protocol %d StartPort %ld EndPort %ld

Notice

ADAlgRegisterNatPorts: Unable to get memory Notice

Ceiling for number of connections reached, dropping packet Notice

Maximum connections to box reached, dropping packet Notice

Memory allocation for connection failed, dropping packet Notice

Send Syn to corporate network failed Notice

Received DHCP request Notice

Unable to send syn packet Notice

Attempt to release incorrect TCP nat port Notice

Attempt to release incorrect UDP nat port Notice

Attempt to release incorrect ICMP nat port Notice

Unable to get Port for Protocol %d Notice

Unable to get PortMap for NAT %lx:%ld Port %u Notice

Unable to free Unknown Protocol NAT port for %lx:%ld Notice

Unable to free TCP NAT port for %lx:%ld Notice

Unable to free UDP NAT port for %lx:%ld Notice

Unable to free ICMP NAT port for %lx:%ld Notice

Unable to free GRE NAT port for %lx:%ld Notice

Memory allocation for AppRegister failed Notice

H.323:Failed to Allocate Nat Port Notice

H.323:Failed to Create memory for pH323_T120 Notice

H.323:Failed to Create memory for pH323_RtpRtcp Notice

H.323:Failed to make connection for H323T120 Notice

H.323:Failed to make connection for H323RtpRtcp Notice

H.323:Failed to Allocate Memory for H323T120 Notice

Ftp ALG Alloc Entry Failed! Notice

Invalid FTP PASV cmd reply seen, dropping packet Notice

FTP Get port failed Notice

H.323:Registration Failed because InitPerBuffers Failed Notice

H.323: Unable to get Nat port Notice

H.323:Failed to Allocate memory for H323_H245 Connection Notice

H.323:Failed to make H323_H245 Connection Notice




24 5991-2119

N2P ALG Alloc Entry Failed! Notice

Pptp Alloc Entry Failed! Notice

Rpc Alloc Entry Failed! Notice

RPC Program Number %lu denied Notice

Stored RPC transaction Id doesn't match server response, dropping packet Notice

RPC Server's response is undecipherable, dropping packet Notice

IRC:Failed to allocate memory for IRC connection Notice

IRC:No of Messages are more than MAX_IRC_REQUESTS Notice

IRC:Size of Message is more than MAX_IRCSIZE Notice

IRC:Something wrong 1*Generated when too much data is present.

Notice

IRC:Something gone wrong in Notice Message*Generated when too much data is present.

Notice

IRC:Something wrong 2*Generated when too much data is present.

Notice

IRC:Unable to Allocate memory for IRCData Notice

IRC:Unable to create dynamic association for IRC Notice

IRC:Unable to create IGWbuf for IRC Notice

RTSP:Failed to allocate memory for RTSP connection Notice

RTSP:Failed to allocate IGWbuf for RTSP connection Notice

RTSP:Failed to NatPort for RTSP connection Notice

RTSP:Failed to Create RTSP Data connection Notice

Access Policy not found, dropping packet Warning

IN bound Access Policy not found, dropping packet Warning

FTP Cmd %.10s denied, dropping packet Warning

SMTP Cmd %.10s denied, dropping packet Warning

Attempt to contact ProxyServer, dropping packet Warning

HTTP File %.20s denied, dropping packet Warning



Copyright 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.

IP Firewall Configuration Guide - Hewlett...

Documents

Transcript of IP Firewall Configuration Guide - Hewlett...