ProCurve SR IP Firewall Config Guide PDF

Configuration Guide
5991-2119
April 2005
IP Firewall
Packet Filtering using Access Control Policies and Lists

This Configuration Guide is designed to provide you with a basic
understanding of the concepts behind configuring your ProCurve Secure
Router Operating System (SROS) product for IP firewall protection. For
detailed information regarding specific command syntax, refer to the
SROS Command Line Interface Reference Guide on your ProCurve SROS
Documentation CD.
This guide consists of the following sections:

• Understanding IP Firewall Protection on page 2
• Configuring Your Secure Router on page 8
• Verifying Your Configuration Using Show Commands on page 17
• Managing Event Messages on page 19
61195880L1-29.1B Printed in the USA 1

Understanding IP Firewall Protection IP Firewall Configuration Guide
Understanding IP Firewall Protection

Use the ip firewall command to enable SROS security features including access control policies (ACPs)
and access control lists (ACLs), network address translation (NAT), and the stateful inspection firewall.
Use the no form of this command to disable the security functionality.
Refer to the following sections for more information on the functionality enabled by this command:
• Firewall processing for all interfaces (refer to Firewall Processing on page 2)
• Network address translation (NAT) capabilities (refer to NAT on page 4)
• Stateful inspection firewall (refer to Stateful Policies versus Stateless Policies on page 5)
• Network traffic management when used in conjunction with ACLs and ACPs (refer to ACLs and ACPs
on page 6)
Firewall Processing
Firewall processing protects the network by blocking attacks, filtering sessions from unrecognized origins,
and monitoring session activity. The sections which follow describe this functionality in more detail.
Attack Protection
Detects and discards traffic that matches profiles of known networking exploits or attacks. Use the
ip firewall command to enable firewall attack protection. The SROS blocks traffic (matching patterns
of known networking exploits) from traveling through the device. Some of these attacks may be
manually disabled, while other attack checks are always on any time the firewall is enabled.
Table 1 on page 3 outlines the types of traffic discarded by the firewall. Many attacks use similar
invalid traffic patterns; therefore, attacks other than the examples listed in the table may also be
blocked by the firewall.
2 5991-2119
IP Firewall Configuration Guide Understanding IP Firewall Protection
Table 1. Traffic Blocked by Firewall Attack Protection Engine
Invalid Traffic Pattern SROS Firewall Response Common

Attacks
Larger than allowed Any packets that are longer than those defined by Ping of Death
packets standards will be dropped.
Fragmented IP packets The firewall intercepts all fragments for an IP packet and SynDrop,
that produce errors when attempts to reassemble them before forwarding to TearDrop,
attempting to destination. If any problems or errors are found during OpenTear,
reassemble reassembly, the fragments are dropped. Nestea, Targa,
Newtear, Bonk,
Boink
Smurf Attack The firewall drops any ping responses that are not part of Smurf Attack
an active session.
IP Spoofing The firewall drops any packets with a source IP address IP Spoofing
that appears to be spoofed. The IP route table is used to
determine if a path to the source address is known (out of
the interface from which the packet was received). For
example, if a packet with a source IP address of
10.10.10.1 is received on interface fr 1.16 and no route to
10.10.10.1 (through interface fr 1.16) exists in the route
table, the packet is dropped.
ICMP Control Message The following types of ICMP packets are allowed through Twinge
Floods and Attacks the firewall: echo, echo-reply, TTL expired, dest
unreachable, and quench. These ICMP messages are
only allowed if they appear to be in response to a valid
session. All others are discarded.
Attacks that send TCP Any TCP packets that have the URG flag set are Winnuke, TCP
URG packets discarded by the firewall. XMAS Scan
Falsified IP Header The firewall verifies that the packet’s actual length Jolt/Jolt2
Attacks matches the length indicated in the IP header. If it does
not, the packet is dropped.
Echo All UDP echo packets are discarded by the firewall. Char Gen
Land Attack Any packets with the same source and destination IP Land Attack
addresses are discarded.
Broadcast Source IP Packets with a broadcast source IP address are

discarded.
Invalid TCP Initiation TCP SYN packets that have ack, urg rst, or fin flags set
Requests are discarded.
Invalid TCP Segment The sequence numbers for every active TCP session are
Number maintained in the firewall session database. If the firewall
received a segment with an unexpected (or invalid)
sequence number, the packet is dropped.
IP Source Route Option All IP packets containing the IP source route option are
dropped.
5991-2119 3
Session Initiation Control

Session initiation controls allow only sessions that match traffic patterns permitted by ACPs to be
initiated through the router.
Ongoing Session Monitoring and Processing

The SROS continues monitoring session activity as described below:
• Each session that has been allowed through the router is monitored for any irregularities that match
patterns of known attacks or exploits. Offending traffic is dropped.
• If NAT is configured, the firewall modifies all traffic associated with the session according to the
translation rules defined in NAT ACPs.
• If sessions are inactive for a user-specified amount of time, the session is closed by the firewall.
Application-Specific Processing
Certain applications need special handling to work correctly in the presence of a firewall. SROS uses
Application-level Gateways (ALGs) for these applications. ALGs are aware of protocols not easily
integrated with NAT or firewalls that create associations which allow these protocols to work
transparently.
For example, the FTP ALG will not only create the associations to allow the control session (using
TCP Port 21) to pass data, but will also create associations to allow the server-initiated data sessions to
work (using TCP Port 20). This allows FTP clients to pass through the SROS firewall and ACPs
without using passive mode.
The SROS firewall includes ALGs for handling the following applications and protocols:
• AOL Instant Messenger
• VPN ALGS: ESP and IKE
• FTP
• H.323: H.245, Q.931, ASN1 PER decoding and encoding
• ICQ
• IRC
• Microsoft Games
• Net2Phone
• PPTP
• Quake
• Real-Time Streaming Protocol
• SMTP
• HTTP
NAT
Network Address Translation (NAT) is an Internet Engineering Task Force (IETF) standard method of
preserving Internet address space. Additionally, it can be used to hide the structure of server farms behind
a router in order to provide bandwidth sharing to Web, FTP, and application servers. Details on NAT
configuration are beyond the scope of this document. For more information, refer to the SROS Command
Line Interface Reference Guide on your ProCurve SROS Documentation CD. This document is also
available on the ProCurve Networking Web site(www.procurve.com).
4 5991-2119
Stateful Policies versus Stateless Policies

The SROS unit acts as an ALG and employs a stateful inspection firewall that protects an organization's
network from common cyber attacks including TCP SYN-flooding, IP spoofing, ICMP redirect, land
attacks, ping-of-death, and IP reassembly problems.
It is important to point out the differences between the operation of SROS stateful policies and stateless
filters. For example, consider an application where a host located behind a firewall device initiates an
outbound session to a server on the Internet. If the firewall is configured to use stateless filters, two or
more filters must be defined to do the following:
• Allow the outbound traffic from the host to the Internet
• Allow inbound traffic (responses from the initiated session)
Typically, the inbound filter list needs to reject sessions initiated from the Internet, while allowing other
responses to sessions initiated from the private network. Because the filter lists have no knowledge of the
state of the session (sequence numbers, inactivity time, etc.), there is a possibility that an attacker will be
able to “fool” the configured filter lists and direct malicious traffic through the firewall.
With stateful policies, however, a single policy is configured that permits the traffic from the host to be
initiated to the Internet. The SROS stateful inspection firewall creates an association for this session and
stores it in an internal database. When the server on the Internet sends a response back to the host, the
SROS stateful inspection firewall recognizes that this traffic is associated with an allowed session and
permits the traffic. Since the firewall has detailed knowledge about the current state of every session
flowing through the device, it is much more difficult for an attacker to generate traffic that is not blocked
by the firewall.
Session filtering based on inactivity may sometimes occur sooner than is desirable. Use the
ip policy-timeout command to customize timeout intervals for protocols (TCP, UDP, ICMP) or specific
services (by listing the particular port number). The default timeout for TCP protocols is 600 seconds,
UDP protocols is 60 seconds, and ICMP is 60 seconds.
The following example creates customized policy timeouts for the following:
• WWW (Internet traffic using TCP Port 80): timeout 24 hours (86,400 seconds)
• Telnet (TCP Port 23): timeout 20 minutes (1200 seconds)
• FTP (21): timeout 5 minutes (300 seconds)
• All other TCP services: timeout 8 minutes (480 seconds)
(config)# ip policy-timeout tcp www 86400

(config)# ip policy-timeout tcp telnet 1200
(config)# ip policy-timeout tcp ftp 300
(config)# ip policy-timeout tcp all_ports 480
5991-2119 5
ACLs and ACPs

ACLs and ACPs regulate traffic through the routed network. When designing your traffic flow
configuration, it is important to keep the following in mind:
• An ACL is inactive until it is assigned to an active ACP.
• An ACP is inactive until it is assigned to an interface.
Figure 1 illustrates the steps necessary for activating ACLs and ACPs.
Create an ACL and define permissions:

ACL (config)#ip access-list standard MATCHALL
(config-std-nacl)#permit any
Create an ACP and assign the ACL to it:

ACP (config)#ip policy-class TRUSTED
(config-policy-class)#allow list MATCHALL
Assign the ACP to an interface:

Interface (config)#interface eth 0/1
(config-eth 0/1)#access-policy TRUSTED
Figure 1. Activating ACLs and ACPs
Access Control Lists (ACLs)

ACLs are used as packet selectors by ACPs. They must be assigned to an ACP in order to be active.
ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or
deny) and a packet pattern. A permit ACL is used to permit packets (meeting the specified pattern) to
enter the router system. A deny ACL advances the SROS to the next ACP entry. The SROS provides
two types of ACLs: standard and extended. Standard ACLs allow source IP address packet patterns
only. Extended ACLs may specify patterns using most fields in the IP header and the TCP or UDP
header.
Access Control Policies (ACPs)

ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface. Each
ACP consists of a selector (i.e., an ACL) and an action (allow, discard, NAT). When packets are
received on an interface, the configured ACPs are applied to determine whether the data is processed
or discarded.
Both ACLs and ACPs are order-dependent. When a packet is evaluated, the matching engine begins with
the first entry in the list and progresses through the entries until it finds a match. The first entry that
matches is executed. They both have an implicit deny at the end of the list. Typically, the most specific
entries should be at the top and the most general at the bottom.
6 5991-2119
Packet Flow
The Packet Flow section describes how packets are processed in several possible scenarios of ACP
configuration.
Scenario 1
Packets traveling from an interface with an assigned ACP to any other interface
ACPs are applied when packets are received on an interface. If an interface has no assigned ACP, the
interface allows all received traffic to pass through by default. If an interface has an assigned ACP, but
the firewall has not been enabled with the ip firewall command, traffic flows normally from this
interface with no ACP processing.
Scenario 2
Packets traveling in and out of a single interface with an assigned ACP
These packets are processed through the ACPs as if they are destined for another interface (identical to
Scenario 1). Again, note that the ip firewall command must be enabled for ACP processing to take
place.
Scenario 3
Packets traveling from an interface without an assigned ACP to an interface with an
assigned ACP
These packets are routed normally and are not processed by the ACP.
Scenario 4
Packets traveling from an interface without an assigned ACP to another interface
without an assigned ACP
This traffic is routed normally. The ip firewall command has no effect on this traffic other than to
prevent attacks entering the interface.
Access Control Polices

Packet In Interface Association List Route Lookup Packet Out
(permit, deny, NAT)
If session hit,
or no ACP configured
5991-2119 7
Configuring Your Secure Router IP Firewall Configuration Guide
Configuring Your Secure Router

The remainder of this document provides examples designed to clarify the use of access policies. The
following section, Creating and Assigning ACLs and ACPs on page 8, gives an overview of the four basic
steps necessary when creating ACLs and ACPs.
Warning Before applying an ACP to an interface, verify your Telnet connection will not be
affected by the policy. If a policy is applied to the interface you are connecting
through and it does not allow Telnet traffic, your connection will be lost.
Creating and Assigning ACLs and ACPs

Creating ACLs and ACPs to regulate traffic through the routed network requires four steps:
Step 1
Enable the security features of the SROS using the ip firewall command.
Step 2
Create an ACL (using the ip access-list command) and configure it to permit or deny specified traffic.
Standard ACLs provide pattern matching for source IP addresses only. (Use extended ACLs for more
flexible pattern matching.) IP addresses can be expressed in one of three ways:
• Using the keyword any to match any IP address.
• Using the host <A.B.C.D> to specify a single host address. For example, entering
permit host 196.173.22.253 allows all traffic from the host with an IP address of 196.173.22.253.
• Using the <A.B.C.D> <wildcard> format to match all IP addresses in a range. Wildcard masks
work in reverse logic from subnet mask. Specifying a one in the wildcard mask equates to a “don’t
care.” For example, entering permit 192.168.0.0 0.0.0.255 permits all traffic from the
192.168.0.0/24 network.
Step 3
Create an ACP using the ip policy-class command. Possible actions performed by the ACP are as
follows:
• allow list <ACL names>
All packets passed by the ACL(s) entered are allowed to enter the router system.
• discard list <ACL names>
All packets passed by the ACL(s) entered are dropped from the router system.
• allow list <ACL names> policy <ACP name>
All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are
permitted to enter the router system. This allows for configurations to permit packets to a single
interface and not the entire system.
• discard list <ACL names> policy <ACP name>
All packets passed by the ACL(s) entered and destined for the interface using the ACP listed are
blocked from the router system. This allows for configurations to deny packets on a specified
interface.
• nat source list <ACL names> address <IP address> overload
All packets passed by the ACL(s) entered are modified to replace the source IP address with the
entered IP address. The overload keyword allows multiple source IP addresses to be replaced with
the single IP address entered. This hides private IP addresses from outside the local network.
8 5991-2119
IP Firewall Configuration Guide Configuring Your Secure Router
• nat source list <ACL names> interface <interface> overload

All packets passed by the ACL(s) entered are modified to replace the source IP address with the
primary IP address of the listed interface. The overload keyword allows multiple source IP
addresses to be replaced with the single IP address of the specified interface. This hides private IP
addresses from outside the local network.
• nat destination list <ACL names> address <IP address>
All packets passed by the ACL(s) entered are modified to replace the destination IP address with
the entered IP address. The overload keyword is not an option when performing NAT on the
destination IP address. Each private address must have a unique public address. This hides private
IP addresses from outside the local network.
Step 4
Apply the ACP to an interface. To do this, enter access-policy <policy name> while in the desired
interface’s configuration mode. The following example assigns access policy MATCHALL to the
Ethernet 0/1 interface:
(config)# interface ethernet 0/1
(config-eth 0/1)# access-policy MATCHALL
Configuration Examples
To illustrate these basic steps, the following configurations are given in detail as examples:
• Outbound Internet Access on page 10
– Step-by-Step Configuration: Outbound Internet Access on page 10
– Sample Script on page 11
• Inbound Internet Access on page 12
– Step-by-Step Configuration: Inbound Internet Access on page 12
• Network Address Translation (NAT) on the WAN Interface on page 14
– Step-by-Step Configuration: NAT on the WAN Interface on page 14
The first example demonstrates the router configuration for a simple network that allows the LAN to get to
the Internet, but blocks unwanted traffic from the Internet. The second example shows how to modify the
same configuration to allow traffic to a web server from the Internet. The third example explains how to
further modify the configuration to perform NAT from the Internet.
Configuration steps for each example are provided in the tables which follow the configuration
descriptions. You can follow the given steps by entering the command text shown in bold (modifying as
needed for your application).
Note Please note that these examples are given for your study and consideration only. They are
to help you reach a better understanding of the fundamental concepts before configuring
your own application. It will be necessary for you to modify these examples to match your
own network’s configuration.
Use the sample scripts in this section as a shortcut to configuring your unit. Use the text
tool in Adobe Acrobat to select and copy the scripts, paste them into any text editing
program, modify as needed, and then paste them directly into your SROS command line.
5991-2119 9
Example 1: Outbound Internet Access

This is a simple network configuration using public IP addresses on the LAN. This configuration allows
the LAN traffic to reach the Internet, but does not allow traffic from the Internet to reach the LAN (unless
it matches the outbound sessions already created).
Table 2. Step-by-Step Configuration: Outbound Internet Access
Step Action Command

1 Enter Enable Security mode. >enable
2 Enter Global Configuration mode. #configure terminal
3 Enable IP firewall functionality. (config)#ip firewall
4 Create the ACL MATCHALL and (config)#ip access-list standard MATCHALL
enter the standard ACL command
set.
5 Configure this ACL to permit all (config-std-nacl)#permit any
packets.
6 Exit to Global Configuration mode. (config-std-nacl)#exit
7 Add a default route to the route (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1
table.
8 Create the ACP TRUSTED and (config)#ip policy-class TRUSTED
enter its access control policy
command set.
9 Configure this ACP to allow any (config-policy-class)#allow list MATCHALL
traffic that matches the ACL
MATCHALL to enter the router
system.
10 Exit to Global Configuration mode. (config-policy-class)#exit
11 Create the ACP UNTRUSTED and (config)#ip policy-class UNTRUSTED
enter its access control policy
command set.
12 Configure this ACP to discard any (config-policy-class)#discard list MATCHALL
MATCHALL.
14 Access configuration parameters (config)#interface eth 0/1
for the Ethernet port.
15 Assign an IP address and subnet (config-eth 0/1)#ip address 63.12.5.254 255.255.255.0
mask to the Ethernet port.
10 5991-2119
Table 2. Step-by-Step Configuration: Outbound Internet Access (Continued)
Step Action Command

16 Apply the ACP TRUSTED to the (config-eth 0/1)#access-policy TRUSTED
Ethernet port.
Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and
MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this
ACP.
17 Exit to Global Configuration mode. (config-eth 0/1)#exit
18 Access configuration parameters (config)#interface ppp 1
for the PPP interface.
19 Assign an IP address and subnet (config-ppp 1)#ip address 63.12.1.2 255.255.255.248
mask to the WAN interface.
20 Apply the ACP UNTRUSTED to the (config-ppp 1)#access-policy UNTRUSTED
WAN interface.
Note: Since the ACP UNTRUSTED discards anything matching ACL MATCHALL (and
MATCHALL permits any traffic), all incoming packets to this interface will be discarded by
this ACP.
21 Exit to Global Configuration mode. (config-ppp 1)#exit
Sample Script
!
ip firewall
ip route 0.0.0.0 0.0.0.0 63.12.1.1
ip access-list standard MATCHALL
permit any
! - Create the Access-List “MATCHALL”.
! - Permit any IP address.
!
ip policy-class TRUSTED
allow list MATCHALL
! - Create the Policy-Class “TRUSTED”.
! - For any interface using Policy-Class “TRUSTED” allow Access-List “MATCHALL”.
! - Since the Policy-Class “TRUSTED” allows anything matching Access-List “MATCHALL”
! - and “MATCHALL” permits “Any”, Any incoming packets will be Allowed by this
! - Policy-Class.
ip policy-class UNTRUSTED
discard list MATCHALL
! - Create the Policy-Class “UNTRUSTED”.
! - For any interface using Policy-Class “UNTRUSTED” discard Access-List “MATCHALL”.
!
interface eth 0/1
ip address 63.12.5.254 255.255.255.0
access-policy TRUSTED
! - Apply the Policy-Class “TRUSTED” to the Ethernet interface.
5991-2119 11
!
interface ppp 1
ip address 63.12.1.2 255.255.255.248
access-policy UNTRUSTED
! - Apply the Policy-Class “UNTRUSTED” to the WAN interface.
! - Since the Policy-Class “UNTRUSTED” discards anything matching Access-List “MATCHALL”
! - and “MATCHALL” permits “Any”, Any incoming packets will be Discarded by this
! - Policy-Class.
Example 2: Inbound Internet Access

This example is a simple network configuration using public IP addresses on the LAN. This configuration
allows outbound access to the Internet and inbound access to the web server. This configuration is similar
to the previous example (all changes are shown in bold text in the Sample Script on page 13).
Table 3. Step-by-Step Configuration: Inbound Internet Access
Step Action Command

4 Create the ACL MATCHALL and enter (config)#ip access-list standard MATCHALL
the standard ACL command set.
5 Configure this ACL to permit all packets. (config-std-nacl)#permit any
7 Create the extended ACL INWEB and (config)#ip access-list extended INWEB
enter the extended access-list
command set.
8 Permit any TCP traffic with a destination (config-ext-nacl)#permit tcp any host 63.12.5.253 eq 80
address of 63.12.5.253 and a
destination port of 80 (HTTP).
9 Add a default route to the route table. (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1
10 Create the ACP TRUSTED and enter its (config)#ip policy-class TRUSTED
access control policy command set.
11 Configure this ACP to allow any traffic (config-policy-class)#allow list MATCHALL
that matches the ACL MATCHALL to
enter the router system.
enter its access control policy command
set.
14 Configure this ACP to allow any traffic (config-policy-class)#allow list INWEB
that matches the ACL INWEB to enter
the router system.
12 5991-2119
Table 3. Step-by-Step Configuration: Inbound Internet Access (Continued)
Step Action Command

15 Configure this ACP to discard any traffic (config-policy-class)#discard list MATCHALL
that matches the ACL MATCHALL.
Note: The ACP UNTRUSTED will now allow packets matching ACL INWEB (prior to discarding
incoming packets matching the ACL MATCHALL).
17 Access configuration parameters for the (config)#interface eth 0/1
Ethernet port.
18 Assign an IP address and subnet mask (config-eth 0/1)#ip address 63.12.5.254 255.255.255.0
to the Ethernet port.
Ethernet port.
Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and MATCHALL
permits any traffic), all incoming packets to this interface will be allowed by this ACP.
21 Access configuration parameters for the (config)#interface ppp 1
PPP interface.
22 Assign an IP address and subnet mask (config-ppp 1)#ip address 63.12.1.2 255.255.255.248
to the WAN interface.
WAN interface.
MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this
ACP.
Sample Script
!
ip firewall
permit any
!
ip access-list extended INWEB
permit tcp any host 63.12.5.253 eq 80
! - Create Extended Access-List “INWEB”
! - Permit any TCP traffic with a destination address of 63.12.1.253 and a destination port of 80 (HTTP).
!
ip route 0.0.0.0 0.0.0.0 63.12.1.1
!
allow list MATCHALL
!
5991-2119 13
allow list INWEB
! - Allow any traffic that matches Access-List “INWEB”,
! - Before discarding any traffic that matches Access-List “MATCHALL”.
!
interface eth 0/1
ip address 63.12.5.254 255.255.255.0
!
interface ppp 1
ip address 63.12.1.2 255.255.255.248
Example 3: Network Address Translation (NAT) on the WAN Interface

This example is a simple network using private IP addresses on the LAN and providing NAT on the WAN
interface to the Internet. The configuration allows the LAN traffic to reach the Internet by performing
NAT. Traffic from the Internet is discarded unless it matches the outbound sessions already created (or has
a destination address and port that match the web server). Changes to the previous configuration are shown
in bold text in the Sample Script on page 16.
Table 4. Step-by-Step Configuration: NAT on the WAN Interface
Step Action Command

4 Create the ACL MATCHALL and (config)#ip access-list standard MATCHALL
enter the standard access-list
command set.
5 Permit all packets through the (config-std-nacl)#permit any
configured ACL.
7 Create the extended ACL INWEB (config)#ip access-list extended INWEB
and enter the extended access-list
command set.
8 Permit any TCP traffic with a (config-ext-nacl)#permit tcp any host 63.12.1.2 eq 80
destination address of 63.12.1.3
and a destination port of 80 (HTTP).
9 Add a default route to the route (config)#ip route 0.0.0.0 0.0.0.0 63.12.1.1
table.
10 Create the ACP TRUSTED and (config)#ip policy-class TRUSTED
enter its ACP command set.
14 5991-2119
Table 4. Step-by-Step Configuration: NAT on the WAN Interface (Continued)
Step Action Command

11 Enable NAT for traffic that matches
(config-policy-class)#nat source list MATCHALL
the ACL MATCHALL and change
address 63.12.1.2 overload
the source address to 63.12.1.2.
enter its ACP command set.
14 Enable NAT for traffic that matches (config-policy-class)#nat destination list INWEB
the ACL INWEB and change the address 192.168.0.253
destination address to
192.168.0.253.
15 Configure this ACP to discard any (config-policy-class)#discard list MATCHALL
MATCHALL.
17 Access configuration parameters for (config)#interface eth 0/1
the Ethernet port.
18 Assign an IP address and subnet (config-eth 0/1)#ip address 192.168.0.254 255.255.255.0
mask to the Ethernet port.
Ethernet port.
Note: Since the ACP TRUSTED allows anything matching ACL MATCHALL (and
MATCHALL permits any traffic), all incoming packets to this interface will be allowed by this
ACP.
21 Access configuration parameters for (config)#interface ppp 1
the PPP interface.
22 Assign an IP address and subnet (config-ppp 1)#ip address 63.12.1.2 255.255.255.248
mask to the PPP interface.
WAN interface.
MATCHALL permits any traffic), all incoming packets to this interface will be discarded by this
ACP.
5991-2119 15
Sample Script
!
ip firewall
!
ip access-list extended INWEB
permit tcp any host 63.12.1.3 eq 80
! - Create Extended Access-List “INWEB”
! - Allow any TCP traffic with a destination address of 63.12.1.3 with a destination port of 80 (HTTP).
!
ip route 0.0.0.0 0.0.0.0 63.12.1.1
!
nat source list MATCHALL address 63.12.1.2 overload
! - Enable NAT for traffic that matches Access-List “MATCHALL” and change
! - the source address 63.12.1.2
nat destination list INWEB address 192.168.0.253
! - Enable NAT for traffic that matches Access-List “INWEB” and change
! - the destination address to 192.168.0.253.
!
permit any
interface eth 0/1
ip address 192.168.0.254 255.255.255.0
! - The IP address is changed to the private address scheme.
!
interface ppp 1
ip address 63.12.1.2 255.255.255.248
16 5991-2119
IP Firewall Configuration Guide Verifying Your Configuration Using Show Commands
Verifying Your Configuration Using Show Commands

Use the following SROS show commands to display information regarding your configuration. Enter
show commands at any prompt using the do command.
For example:
(config-eth 0/1)#do show ip policy-session
Table 5. Show Commands
Command Description Sample Output

show ip access-list Displays all configured IP Standard IP access list MATCHALL
ACLs in the system. permit 192.168.1.0, wildcard bits 0.0.0.255
(31337 matches)
Standard IP access list SERVER1_OUT
permit host 192.168.1.100 (0 matches)
Extended IP access list CORPORATE_TRAFFIC
permit ip 192.168.1.0, wildcard bits 0.0.0.255
192.168.3.0, wildcard bits 0.0.0.255 (432829
matches)
Extended IP access list
CORPORATE_TRAFFIC_IN
192.168.1.0, wildcard bits 0.0.0.255 (2194
matches)
REMOTE_USER_TRAFFIC
10.10.10.0, wildcard bits 0.0.0.255 (178 matches)
REMOTE_USER_TRAFFIC_IN
192.168.1.0, wildcard bits 0.0.0.255 (11 matches)
show ip policy-class Displays a list of currently ip policy-class max-sessions 30000
configured ACPs. Policy-class “TRUSTED”:
1 current sessions (10000 max)
Entry 1 - allow list CORPORATE_TRAFFIC
Entry 2 - allow list REMOTE_USER_TRAFFIC
Entry 3 - nat source list SERVER1_OUT address
141.158.13.58 overload
Entry 4 - nat source list MATCHALL address
141.158.13.62 overload
Policy-class “UNTRUSTED”:
Entry 1 - allow list CORPORATE_TRAFFIC_IN
Entry 2 - allow list REMOTE_USER_TRAFFIC_IN
5991-2119 17
Verifying Your Configuration Using Show Commands IP Firewall Configuration Guide
Table 5. Show Commands (Continued)
Command Description Sample Output

show ip policy-session Displays a list of current Protocol (TTL)
ACP associations. Src IP Address Src Port Dest IP Address Dst Port
NAT IP Address NAT Port
----------------- --------
Policy class “TRUSTED”:
tcp (523)
192.168.1.70 3790 152.155.209.24 80s
141.160.13.62 29008
Policy class “UNTRUSTED”:
tcp (600)
208.25.151.99 1141 141.158.56.142 23
Policy class “self”:
Policy class “default”:
show ip policy-stats Displays a list of current Global 3 current sessions (30000 max)
ACP statistics. Policy-class “TRUSTED”:
Entry 1 - allow list CORPORATE_TRAFFIC
10211717 in bytes, 1184 out bytes, 1140 hits
Entry 2 - allow list REMOTE_USER_TRAFFIC
Entry 3 - nat source list SERVER1_OUT address
141.158.56.58 overload
Entry 4 - nat source list MATCHALL address
141.158.56.62 overload
66422200 in bytes, 230583087 out bytes, 31332
hits
Policy-class “UNTRUSTED”:
Entry 1 - allow list CORPORATE_TRAFFIC_IN
Entry 2 - allow list REMOTE_USER_TRAFFIC_IN
18 5991-2119
IP Firewall Configuration Guide Managing Event Messages
Managing Event Messages

The SROS provides multiple levels of event messages. You can manage these messages in several ways,
based on their assigned priority level. The levels are listed below, from least to most critical.
Priority Level
Number Priority Level
5 Debug
4 Information
3 Notice
2 Warning
1 Error
0 Fatal
There are two management options for the event messages displayed on the console. The default behavior
is to display levels 0 to 3 (i.e., Notice, Warning, Error, and Fatal messages). To display all levels, turn
debug on (using the debug firewall command). If you turn debug off (no debug firewall), you fall back to
displaying levels 0 to 3 (i.e., everything but Information and Debug).
There are additional management options available for event history storage, email notification, and syslog
forwarding. If the event history storage is enabled (using the event-history on command), by default the
SROS logs all messages with priority levels 0 through 3 (i.e. Notice, Warning, Error, and Fatal messages).
You can use the following commands to change the default behavior and set an explicit priority level for
the following options:
• event-history priority <priority level#>: Sets the threshold for events stored in the event history. The
event log is displayed using the show event-history command.
• logging email priority-level <priority level#>: Sets the threshold for events sent to the configured
email addresses (specified using the logging email address-list command).
• logging forwarding priority-level <priority level#>: Sets the threshold for events sent to the
configured syslog server (specified using the logging forwarding receiver-ip command).
When setting the <priority level#>, keep the following in mind:

• When priority 4 is selected, all events (priorities 0 through 4) are logged.
• When priority 3 is selected, events with priority 3, 2, 1, or 0 are logged.
• When priority 2 is selected, events with priority 2, 1, or 0 are logged.
• When priority 1 is selected, events with priority 1 or 0 are logged.
• When priority 0 is selected, only events with priority 0 are logged.
Table 6 on page 20 provides a list of event messages related to the firewall (along with the designated
priority levels).
5991-2119 19
Managing Event Messages IP Firewall Configuration Guide
Table 6. Firewall Events
Event Message Priority Level

Modified Ack: <#> Debug
*Generated with changes to an incoming ACK.
Attempt to login with a wrong name <username> from <ip address> Debug
Attempt to login through browser by <username> from <ip address> Debug
Invalid password supplied by <username> from <ip address> Debug
Attempt to login through Site Authentication by <username> Debug
Unable to allocate memory for RTSP Control Connection Debug
No memory for RTSP control connection Debug
No Empty record to store new data Debug
Nat Port not available Debug
Unexpected End of packet Debug
Client Port and NatPort do not match Debug
Unable to create new connection Debug
IGWbuf allocation failed Debug
*Generated when buffer allocation fails.
Memory not allocated for RTSP data connection Debug
NatPort and Client ports do not match Debug
Unable to allocate memory for RTSP Data connection Debug
Error in creating new connection Debug
Attacks: SynAck: No memory buffers Debug
Attacks: SynAck: Header formation error Debug
ADCreateAssoc: This should not happen Error
*Generated with an invalid user name on a dynamic NAT address.
ADCreateAssoc: Failure in getting IpAddress from Dim Error
UDB found bad user name while retrieving from DBM Error
UDB failed in allocating memory while loading Error
UDB failed in allocating memory for New User Error
<username> is an invalid user Error
Invalid password, auth failed for user <username> Error
Authentication failed for user <username> Error
UDB got an authentication req for user name: <username> Error
Auth successful for <username> :: priv: <privilege level> Incat tmr: <#> Error
20 5991-2119
Table 6. Firewall Events (Continued)

IGWIpYankHdr : Count in IGWbuf < IGW_IPLEN Error
*Generated when the unit receives packets with an invalid IP header length.
IpYankHdr : IGWbuf too small to yank IP hdr Error
*Generated when the unit receives packets with an invalid IP header length.
IGWIpYankHdr : Checksum returned error Error
*Generated with an invalid checksum.
IpYankHdr : Length in IP datagram < IP hdr len Error
\nISStatsInit: Failed to set current time Error
Attacks: SendAck: Unable to form IpHdr Error
Crossed 80%% of resource. Possible flooding (TCP) Error
Original Src %s Dst %s TCP Src:%lu Dst:%lu, dropping packet Error
*Generated when logging ICMP messages.
Original Src %s Dst %s UDP Src:%ld Dst:%ld, dropping packet Error
Original Src %s Dst %s ICMP Type:%d, dropping packet Error
ICMP error message contains less data than expected (possible attack), dropping Error
packet
Dropping ICMP packet of type %d Error
Packet with unsupported IP Protocol received, dropping packet Error
Possible Land Attack detected, dropping packet Error
Unable to find route for source, dropping packet Error
Spoofing detected, dropping packet Error
Source IP is a broadcast address, dropping packet Error
Unable to determine route to destination, dropping packet Error
TCP connection request received is invalid, dropping packet Error
Invalid ack value received for connection, dropping packet Error
UDP echo response received for uninitiated echo request (possible smurf attack), Error
dropping packet
Echo response for uninitiated echo request (possible smurf attack), dropping packet Error
Packet with unsupported IP Protocol received, dropping packet Error
General attack detected, dropping packet Error
Terminating connection as WinNuke Attack detected, OOB packet Error
Invalid sequence number received with Reset, dropping packet Error
Zero bytes transferred for connection Error
Data connection not established from remote Error
5991-2119 21

Attempt to login with a wrong name %s from %s Error
Attempt to login through browser by %s from %s Error
Invalid password supplied by %s from %s Error
User %s logged in from %s Error
Attempt to login through Site Authentication by %s Error
Ping of Death attack found Error
Length in IP Header > Data length. Possible JOLT attack Error
Reassembly is currently disabled Error
IpReassembly Fragment count exceeds max limit Error
IpReassembly Datagram size exceeds max limit Error
IpReassembly time out Error
IP Spoofing check bypassed for RIP packet Information
Packet out of order Information
Dropping out of order packet Information
Incoming NatIp <ip address> Information
GetPortMap failed. Exiting function. Information
date =%s Information
*Generated when showing last login data.
time = %S Information
*Generated when showing last login data.
UDBVerifyUser:Authenticating user from user data base Information
Attacks: SendAck: IpHdr formed successfully Information
Attacks: SendAck: Source = %lx Destination = %lx Cnt = %d Information
IGWBuf in Firewall is %x Information
*Generated when showing firewall buffer.
Deny Access Policy matched, dropping packet Information
Bytes transferred for connection: %lu Information
Unable to allocate memory for NAT portmap (%lx->%lx) Notice
Attempt to de-register port map for unavailable NIP %lx-%lx Notice
Something went wrong in function ADLDelNatPort Notice
*Generated when listen port is null.
Unable to get PortMap for NAT %lx Port %d Notice
ADAlgRegisterNatPorts:Invalid Range StartPort %ld EndPort %ld Notice
ADAlgRegisterNatPorts:Trying to register twice. AlgId %d Protocol %d Notice
22 5991-2119

ADAlgRegisterNatPorts:Some ports in the specified Range already Registered AlgId Notice
%d Protocol %d StartPort %ld EndPort %ld
ADAlgRegisterNatPorts: Unable to get memory Notice
Ceiling for number of connections reached, dropping packet Notice
Maximum connections to box reached, dropping packet Notice
Memory allocation for connection failed, dropping packet Notice
Send Syn to corporate network failed Notice
Received DHCP request Notice
Unable to send syn packet Notice
Attempt to release incorrect TCP nat port Notice
Attempt to release incorrect UDP nat port Notice
Attempt to release incorrect ICMP nat port Notice
Unable to get Port for Protocol %d Notice
Unable to get PortMap for NAT %lx:%ld Port %u Notice
Unable to free Unknown Protocol NAT port for %lx:%ld Notice
Unable to free TCP NAT port for %lx:%ld Notice
Unable to free UDP NAT port for %lx:%ld Notice
Unable to free ICMP NAT port for %lx:%ld Notice
Unable to free GRE NAT port for %lx:%ld Notice
Memory allocation for AppRegister failed Notice
H.323:Failed to Allocate Nat Port Notice
H.323:Failed to Create memory for pH323_T120 Notice
H.323:Failed to Create memory for pH323_RtpRtcp Notice
H.323:Failed to make connection for H323T120 Notice
H.323:Failed to make connection for H323RtpRtcp Notice
H.323:Failed to Allocate Memory for H323T120 Notice
Ftp ALG Alloc Entry Failed! Notice
Invalid FTP PASV cmd reply seen, dropping packet Notice
FTP Get port failed Notice
H.323:Registration Failed because InitPerBuffers Failed Notice
H.323: Unable to get Nat port Notice
H.323:Failed to Allocate memory for H323_H245 Connection Notice
H.323:Failed to make H323_H245 Connection Notice
5991-2119 23

N2P ALG Alloc Entry Failed! Notice
Pptp Alloc Entry Failed! Notice
Rpc Alloc Entry Failed! Notice
RPC Program Number %lu denied Notice
Stored RPC transaction Id doesn't match server response, dropping packet Notice
RPC Server's response is undecipherable, dropping packet Notice
IRC:Failed to allocate memory for IRC connection Notice
IRC:No of Messages are more than MAX_IRC_REQUESTS Notice
IRC:Size of Message is more than MAX_IRCSIZE Notice
IRC:Something wrong 1 Notice
*Generated when too much data is present.
IRC:Something gone wrong in Notice Message Notice
IRC:Something wrong 2 Notice
IRC:Unable to Allocate memory for IRCData Notice
IRC:Unable to create dynamic association for IRC Notice
IRC:Unable to create IGWbuf for IRC Notice
RTSP:Failed to allocate memory for RTSP connection Notice
RTSP:Failed to allocate IGWbuf for RTSP connection Notice
RTSP:Failed to NatPort for RTSP connection Notice
RTSP:Failed to Create RTSP Data connection Notice
Access Policy not found, dropping packet Warning
IN bound Access Policy not found, dropping packet Warning
FTP Cmd %.10s denied, dropping packet Warning
SMTP Cmd %.10s denied, dropping packet Warning
Attempt to contact ProxyServer, dropping packet Warning
HTTP File %.20s denied, dropping packet Warning
Copyright 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
24 5991-2119

ProCurve SR IP Firewall Config Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ProCurve SR IP Firewall Config Guide PDF

Uploaded by

Copyright:

Available Formats

Configuration Guide

Packet Filtering using Access Control Policies and Lists

This guide consists of the following sections:

61195880L1-29.1B Printed in the USA 1

Understanding IP Firewall Protection

Table 1. Traffic Blocked by Firewall Attack Protection Engine

Invalid Traffic Pattern SROS Firewall Response Common

Broadcast Source IP Packets with a broadcast source IP address are

Session Initiation Control

Ongoing Session Monitoring and Processing

Stateful Policies versus Stateless Policies

(config)# ip policy-timeout tcp www 86400

ACLs and ACPs

Create an ACL and define permissions:

Create an ACP and assign the ACL to it:

Assign the ACP to an interface:

Figure 1. Activating ACLs and ACPs

Access Control Lists (ACLs)

Access Control Policies (ACPs)

Access Control Polices

Configuring Your Secure Router

Creating and Assigning ACLs and ACPs

• nat source list <ACL names> interface <interface> overload

Example 1: Outbound Internet Access

Table 2. Step-by-Step Configuration: Outbound Internet Access

Step Action Command

Table 2. Step-by-Step Configuration: Outbound Internet Access (Continued)

Step Action Command

Example 2: Inbound Internet Access

Table 3. Step-by-Step Configuration: Inbound Internet Access

Step Action Command

Table 3. Step-by-Step Configuration: Inbound Internet Access (Continued)

Step Action Command

Example 3: Network Address Translation (NAT) on the WAN Interface

Table 4. Step-by-Step Configuration: NAT on the WAN Interface

Step Action Command

Table 4. Step-by-Step Configuration: NAT on the WAN Interface (Continued)

Step Action Command

Verifying Your Configuration Using Show Commands

Table 5. Show Commands

Command Description Sample Output

Table 5. Show Commands (Continued)

Command Description Sample Output

Managing Event Messages

When setting the <priority level#>, keep the following in mind:

Table 6. Firewall Events

Event Message Priority Level

Table 6. Firewall Events (Continued)

Event Message Priority Level

Table 6. Firewall Events (Continued)

Event Message Priority Level

Table 6. Firewall Events (Continued)

Event Message Priority Level

Table 6. Firewall Events (Continued)

Event Message Priority Level

You might also like