Professional Documents
Culture Documents
5991-2119
April 2005
IP Firewall
Refer to the following sections for more information on the functionality enabled by this command:
• Firewall processing for all interfaces (refer to Firewall Processing on page 2)
• Network address translation (NAT) capabilities (refer to NAT on page 4)
• Stateful inspection firewall (refer to Stateful Policies versus Stateless Policies on page 5)
• Network traffic management when used in conjunction with ACLs and ACPs (refer to ACLs and ACPs
on page 6)
Firewall Processing
Firewall processing protects the network by blocking attacks, filtering sessions from unrecognized origins,
and monitoring session activity. The sections which follow describe this functionality in more detail.
Attack Protection
Detects and discards traffic that matches profiles of known networking exploits or attacks. Use the
ip firewall command to enable firewall attack protection. The SROS blocks traffic (matching patterns
of known networking exploits) from traveling through the device. Some of these attacks may be
manually disabled, while other attack checks are always on any time the firewall is enabled.
Table 1 on page 3 outlines the types of traffic discarded by the firewall. Many attacks use similar
invalid traffic patterns; therefore, attacks other than the examples listed in the table may also be
blocked by the firewall.
2 5991-2119
IP Firewall Configuration Guide Understanding IP Firewall Protection
Larger than allowed Any packets that are longer than those defined by Ping of Death
packets standards will be dropped.
Fragmented IP packets The firewall intercepts all fragments for an IP packet and SynDrop,
that produce errors when attempts to reassemble them before forwarding to TearDrop,
attempting to destination. If any problems or errors are found during OpenTear,
reassemble reassembly, the fragments are dropped. Nestea, Targa,
Newtear, Bonk,
Boink
Smurf Attack The firewall drops any ping responses that are not part of Smurf Attack
an active session.
IP Spoofing The firewall drops any packets with a source IP address IP Spoofing
that appears to be spoofed. The IP route table is used to
determine if a path to the source address is known (out of
the interface from which the packet was received). For
example, if a packet with a source IP address of
10.10.10.1 is received on interface fr 1.16 and no route to
10.10.10.1 (through interface fr 1.16) exists in the route
table, the packet is dropped.
ICMP Control Message The following types of ICMP packets are allowed through Twinge
Floods and Attacks the firewall: echo, echo-reply, TTL expired, dest
unreachable, and quench. These ICMP messages are
only allowed if they appear to be in response to a valid
session. All others are discarded.
Attacks that send TCP Any TCP packets that have the URG flag set are Winnuke, TCP
URG packets discarded by the firewall. XMAS Scan
Falsified IP Header The firewall verifies that the packet’s actual length Jolt/Jolt2
Attacks matches the length indicated in the IP header. If it does
not, the packet is dropped.
Echo All UDP echo packets are discarded by the firewall. Char Gen
Land Attack Any packets with the same source and destination IP Land Attack
addresses are discarded.
Invalid TCP Initiation TCP SYN packets that have ack, urg rst, or fin flags set
Requests are discarded.
Invalid TCP Segment The sequence numbers for every active TCP session are
Number maintained in the firewall session database. If the firewall
received a segment with an unexpected (or invalid)
sequence number, the packet is dropped.
IP Source Route Option All IP packets containing the IP source route option are
dropped.
5991-2119 3
Understanding IP Firewall Protection IP Firewall Configuration Guide
Application-Specific Processing
Certain applications need special handling to work correctly in the presence of a firewall. SROS uses
Application-level Gateways (ALGs) for these applications. ALGs are aware of protocols not easily
integrated with NAT or firewalls that create associations which allow these protocols to work
transparently.
For example, the FTP ALG will not only create the associations to allow the control session (using
TCP Port 21) to pass data, but will also create associations to allow the server-initiated data sessions to
work (using TCP Port 20). This allows FTP clients to pass through the SROS firewall and ACPs
without using passive mode.
The SROS firewall includes ALGs for handling the following applications and protocols:
• AOL Instant Messenger
• VPN ALGS: ESP and IKE
• FTP
• H.323: H.245, Q.931, ASN1 PER decoding and encoding
• ICQ
• IRC
• Microsoft Games
• Net2Phone
• PPTP
• Quake
• Real-Time Streaming Protocol
• SMTP
• HTTP
NAT
Network Address Translation (NAT) is an Internet Engineering Task Force (IETF) standard method of
preserving Internet address space. Additionally, it can be used to hide the structure of server farms behind
a router in order to provide bandwidth sharing to Web, FTP, and application servers. Details on NAT
configuration are beyond the scope of this document. For more information, refer to the SROS Command
Line Interface Reference Guide on your ProCurve SROS Documentation CD. This document is also
available on the ProCurve Networking Web site(www.procurve.com).
4 5991-2119
IP Firewall Configuration Guide Understanding IP Firewall Protection
It is important to point out the differences between the operation of SROS stateful policies and stateless
filters. For example, consider an application where a host located behind a firewall device initiates an
outbound session to a server on the Internet. If the firewall is configured to use stateless filters, two or
more filters must be defined to do the following:
• Allow the outbound traffic from the host to the Internet
• Allow inbound traffic (responses from the initiated session)
Typically, the inbound filter list needs to reject sessions initiated from the Internet, while allowing other
responses to sessions initiated from the private network. Because the filter lists have no knowledge of the
state of the session (sequence numbers, inactivity time, etc.), there is a possibility that an attacker will be
able to “fool” the configured filter lists and direct malicious traffic through the firewall.
With stateful policies, however, a single policy is configured that permits the traffic from the host to be
initiated to the Internet. The SROS stateful inspection firewall creates an association for this session and
stores it in an internal database. When the server on the Internet sends a response back to the host, the
SROS stateful inspection firewall recognizes that this traffic is associated with an allowed session and
permits the traffic. Since the firewall has detailed knowledge about the current state of every session
flowing through the device, it is much more difficult for an attacker to generate traffic that is not blocked
by the firewall.
Session filtering based on inactivity may sometimes occur sooner than is desirable. Use the
ip policy-timeout command to customize timeout intervals for protocols (TCP, UDP, ICMP) or specific
services (by listing the particular port number). The default timeout for TCP protocols is 600 seconds,
UDP protocols is 60 seconds, and ICMP is 60 seconds.
The following example creates customized policy timeouts for the following:
• WWW (Internet traffic using TCP Port 80): timeout 24 hours (86,400 seconds)
• Telnet (TCP Port 23): timeout 20 minutes (1200 seconds)
• FTP (21): timeout 5 minutes (300 seconds)
• All other TCP services: timeout 8 minutes (480 seconds)
5991-2119 5
Understanding IP Firewall Protection IP Firewall Configuration Guide
Figure 1 illustrates the steps necessary for activating ACLs and ACPs.
Both ACLs and ACPs are order-dependent. When a packet is evaluated, the matching engine begins with
the first entry in the list and progresses through the entries until it finds a match. The first entry that
matches is executed. They both have an implicit deny at the end of the list. Typically, the most specific
entries should be at the top and the most general at the bottom.
6 5991-2119
IP Firewall Configuration Guide Understanding IP Firewall Protection
Packet Flow
The Packet Flow section describes how packets are processed in several possible scenarios of ACP
configuration.
Scenario 1
Packets traveling from an interface with an assigned ACP to any other interface
ACPs are applied when packets are received on an interface. If an interface has no assigned ACP, the
interface allows all received traffic to pass through by default. If an interface has an assigned ACP, but
the firewall has not been enabled with the ip firewall command, traffic flows normally from this
interface with no ACP processing.
Scenario 2
Packets traveling in and out of a single interface with an assigned ACP
These packets are processed through the ACPs as if they are destined for another interface (identical to
Scenario 1). Again, note that the ip firewall command must be enabled for ACP processing to take
place.
Scenario 3
Packets traveling from an interface without an assigned ACP to an interface with an
assigned ACP
These packets are routed normally and are not processed by the ACP.
Scenario 4
Packets traveling from an interface without an assigned ACP to another interface
without an assigned ACP
This traffic is routed normally. The ip firewall command has no effect on this traffic other than to
prevent attacks entering the interface.
If session hit,
or no ACP configured
5991-2119 7
Configuring Your Secure Router IP Firewall Configuration Guide
Warning Before applying an ACP to an interface, verify your Telnet connection will not be
affected by the policy. If a policy is applied to the interface you are connecting
through and it does not allow Telnet traffic, your connection will be lost.
Step 1
Enable the security features of the SROS using the ip firewall command.
Step 2
Create an ACL (using the ip access-list command) and configure it to permit or deny specified traffic.
Standard ACLs provide pattern matching for source IP addresses only. (Use extended ACLs for more
flexible pattern matching.) IP addresses can be expressed in one of three ways:
• Using the keyword any to match any IP address.
• Using the host <A.B.C.D> to specify a single host address. For example, entering
permit host 196.173.22.253 allows all traffic from the host with an IP address of 196.173.22.253.
• Using the <A.B.C.D> <wildcard> format to match all IP addresses in a range. Wildcard masks
work in reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t
care.” For example, entering permit 192.168.0.0 0.0.0.255 permits all traffic from the
192.168.0.0/24 network.
Step 3
Create an ACP using the ip policy-class command. Possible actions performed by the ACP are as
follows:
• allow list <ACL names>
All packets passed by the ACL(s) entered are allowed to enter the router system.
• discard list <ACL names>
All packets passed by the ACL(s) entered are dropped from the router system.
• allow list <ACL names> policy <ACP name>
All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are
permitted to enter the router system. This allows for configurations to permit packets to a single
interface and not the entire system.
• discard list <ACL names> policy <ACP name>
All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are
blocked from the router system. This allows for configurations to deny packets on a specified
interface.
• nat source list <ACL names> address <IP address> overload
All packets passed by the ACL(s) entered are modified to replace the source IP address with the
entered IP address. The overload keyword allows multiple source IP addresses to be replaced with
the single IP address entered. This hides private IP addresses from outside the local network.
8 5991-2119
IP Firewall Configuration Guide Configuring Your Secure Router
Step 4
Apply the ACP to an interface. To do this, enter access-policy <policy name> while in the desired
interface’s configuration mode. The following example assigns access policy MATCHALL to the
Ethernet 0/1 interface:
(config)# interface ethernet 0/1
(config-eth 0/1)# access-policy MATCHALL
Configuration Examples
To illustrate these basic steps, the following configurations are given in detail as examples:
• Outbound Internet Access on page 10
– Step-by-Step Configuration: Outbound Internet Access on page 10
– Sample Script on page 11
• Inbound Internet Access on page 12
– Step-by-Step Configuration: Inbound Internet Access on page 12
– Sample Script on page 13
• Network Address Translation (NAT) on the WAN Interface on page 14
– Step-by-Step Configuration: NAT on the WAN Interface on page 14
– Sample Script on page 16
The first example demonstrates the router configuration for a simple network that allows the LAN to get to
the Internet, but blocks unwanted traffic from the Internet. The second example shows how to modify the
same configuration to allow traffic to a web server from the Internet. The third example explains how to
further modify the configuration to perform NAT from the Internet.
Configuration steps for each example are provided in the tables which follow the configuration
descriptions. You can follow the given steps by entering the command text shown in bold (modifying as
needed for your application).
Note Please note that these examples are given for your study and consideration only. They are
to help you reach a better understanding of the fundamental concepts before configuring
your own application. It will be necessary for you to modify these examples to match your
own network’s configuration.
Use the sample scripts in this section as a shortcut to configuring your unit. Use the text
tool in Adobe Acrobat to select and copy the scripts, paste them into any text editing
program, modify as needed, and then paste them directly into your SROS command line.
5991-2119 9
Configuring Your Secure Router IP Firewall Configuration Guide
10 5991-2119
IP Firewall Configuration Guide Configuring Your Secure Router
Sample Script
!
ip firewall
ip route 0.0.0.0 0.0.0.0 63.12.1.1
ip access-list standard MATCHALL
permit any
! - Create the Access-List “MATCHALL”.
! - Permit any IP address.
!
ip policy-class TRUSTED
allow list MATCHALL
! - Create the Policy-Class “TRUSTED”.
! - For any interface using Policy-Class “TRUSTED” allow Access-List “MATCHALL”.
! - Since the Policy-Class “TRUSTED” allows anything matching Access-List “MATCHALL”
! - and “MATCHALL” permits “Any”, Any incoming packets will be Allowed by this
! - Policy-Class.
ip policy-class UNTRUSTED
discard list MATCHALL
! - Create the Policy-Class “UNTRUSTED”.
! - For any interface using Policy-Class “UNTRUSTED” discard Access-List “MATCHALL”.
!
interface eth 0/1
ip address 63.12.5.254 255.255.255.0
access-policy TRUSTED
! - Apply the Policy-Class “TRUSTED” to the Ethernet interface.
5991-2119 11
Configuring Your Secure Router IP Firewall Configuration Guide
!
interface ppp 1
ip address 63.12.1.2 255.255.255.248
access-policy UNTRUSTED
! - Apply the Policy-Class “UNTRUSTED” to the WAN interface.
! - Since the Policy-Class “UNTRUSTED” discards anything matching Access-List “MATCHALL”
! - and “MATCHALL” permits “Any”, Any incoming packets will be Discarded by this
! - Policy-Class.
12 5991-2119
IP Firewall Configuration Guide Configuring Your Secure Router
Sample Script
!
ip firewall
ip access-list standard MATCHALL
permit any
!
ip access-list extended INWEB
permit tcp any host 63.12.5.253 eq 80
! - Create Extended Access-List “INWEB”
! - Permit any TCP traffic with a destination address of 63.12.1.253 and a destination port of 80 (HTTP).
!
ip route 0.0.0.0 0.0.0.0 63.12.1.1
!
ip policy-class TRUSTED
allow list MATCHALL
!
5991-2119 13
Configuring Your Secure Router IP Firewall Configuration Guide
ip policy-class UNTRUSTED
allow list INWEB
discard list MATCHALL
! - Allow any traffic that matches Access-List “INWEB”,
! - Before discarding any traffic that matches Access-List “MATCHALL”.
!
interface eth 0/1
ip address 63.12.5.254 255.255.255.0
access-policy TRUSTED
!
interface ppp 1
ip address 63.12.1.2 255.255.255.248
access-policy UNTRUSTED
14 5991-2119
IP Firewall Configuration Guide Configuring Your Secure Router
5991-2119 15
Configuring Your Secure Router IP Firewall Configuration Guide
Sample Script
!
ip firewall
!
ip access-list extended INWEB
permit tcp any host 63.12.1.3 eq 80
! - Create Extended Access-List “INWEB”
! - Allow any TCP traffic with a destination address of 63.12.1.3 with a destination port of 80 (HTTP).
!
ip route 0.0.0.0 0.0.0.0 63.12.1.1
!
ip policy-class TRUSTED
nat source list MATCHALL address 63.12.1.2 overload
! - Enable NAT for traffic that matches Access-List “MATCHALL” and change
! - the source address 63.12.1.2
ip policy-class UNTRUSTED
nat destination list INWEB address 192.168.0.253
discard list MATCHALL
! - Enable NAT for traffic that matches Access-List “INWEB” and change
! - the destination address to 192.168.0.253.
!
ip access-list standard MATCHALL
permit any
interface eth 0/1
ip address 192.168.0.254 255.255.255.0
access-policy TRUSTED
! - The IP address is changed to the private address scheme.
!
interface ppp 1
ip address 63.12.1.2 255.255.255.248
access-policy UNTRUSTED
16 5991-2119
IP Firewall Configuration Guide Verifying Your Configuration Using Show Commands
For example:
(config-eth 0/1)#do show ip policy-session
Policy-class “UNTRUSTED”:
2 current sessions (10000 max)
Entry 1 - allow list CORPORATE_TRAFFIC_IN
Entry 2 - allow list REMOTE_USER_TRAFFIC_IN
5991-2119 17
Verifying Your Configuration Using Show Commands IP Firewall Configuration Guide
18 5991-2119
IP Firewall Configuration Guide Managing Event Messages
Priority Level
Number Priority Level
5 Debug
4 Information
3 Notice
2 Warning
1 Error
0 Fatal
There are two management options for the event messages displayed on the console. The default behavior
is to display levels 0 to 3 (i.e., Notice, Warning, Error, and Fatal messages). To display all levels, turn
debug on (using the debug firewall command). If you turn debug off (no debug firewall), you fall back to
displaying levels 0 to 3 (i.e., everything but Information and Debug).
There are additional management options available for event history storage, email notification, and syslog
forwarding. If the event history storage is enabled (using the event-history on command), by default the
SROS logs all messages with priority levels 0 through 3 (i.e. Notice, Warning, Error, and Fatal messages).
You can use the following commands to change the default behavior and set an explicit priority level for
the following options:
• event-history priority <priority level#>: Sets the threshold for events stored in the event history. The
event log is displayed using the show event-history command.
• logging email priority-level <priority level#>: Sets the threshold for events sent to the configured
email addresses (specified using the logging email address-list command).
• logging forwarding priority-level <priority level#>: Sets the threshold for events sent to the
configured syslog server (specified using the logging forwarding receiver-ip command).
Table 6 on page 20 provides a list of event messages related to the firewall (along with the designated
priority levels).
5991-2119 19
Managing Event Messages IP Firewall Configuration Guide
20 5991-2119
IP Firewall Configuration Guide Managing Event Messages
5991-2119 21
Managing Event Messages IP Firewall Configuration Guide
22 5991-2119
IP Firewall Configuration Guide Managing Event Messages
5991-2119 23
Managing Event Messages IP Firewall Configuration Guide
Copyright 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
24 5991-2119