Package filtering rule configuration example
In the Chapter VII Package Filtering Technology in the Oriental Longma Firewall User Manual, we introduced the various parameters in the package filter rules. Because the package filtering rules are an important basis for firewall controlling internal and external access, custom package filtering rules become firewalls One of the comparison is a key to the following configuration of the various configurations of the package filtering rules. Custom packing filter rules There are many different situations depending on the needs. The rules have their own similar places, and there are special differences, so the custom rules can be made from Datong, it is not difficult to master. of.
This section classifies the various situations of custom rules, which can be divided into three different configurations based on the operations of the rules, respectively: Accept, Deny, and Divert. The following will provide these three configurations:
Rule Accept (Accept) Packet Operation Configuration Example Rule Refused (DENY) Packet Operating Configuration Example Rule For Redirection Configuration Configuration of Divert
Configure rule examples for accepting the accept data packet
Accepting a packet (ie, allowing packets to pass) is a processing operation of the packet when customizing rules. Because the default rules in the rules are requested for the firewall to reject the packet, if you need to accept the acceptable operation, you must set it, otherwise the default rule will refuse to transfer the packet.
This also uses the map 2-2 network planning configuration topology example diagram in the user manual, as shown in Figure 7-8. Customization rules to accept packets, there are many cases in practical applications, such as:
Allows a host in the network (192.168.1.2) to access the host in another network segment using FTP (192.168.112.8). With 1. Other ports, such as HTTP, POP3, Telnet, SMTP. Allow any host Telnet in a network segment (192.168.1.0) to the host (192.168.2.2).
Figure 7-8 Voet of Network Planning Configuration
Customization rules
We will customize the rules as follows: The customization process is as follows:
In Example 1, the system is translated into: 192.168.112.8 21 port accepts a packet request from 192.168.1.2. Its access process is shown in Figure 7-8, which is divided into substantially two steps: the packet sent by the host 192.168.1.2 passes through the firewall; the packet through the firewall is sent to the host 192.168.112.8 21 port. These two steps require two rules, which will be described below:
First, double-click the "Rule Settings" item under the "Packet Filter" icon in the Configuration Management main interface navigation directory, pop up the Pack Filter Rule Settings window, as shown in Figure 7-1, click the 'Add' button in the window. The addition rule control block window as shown in Figure 7-2 will pop up.
Figure 7-1 Rules Settings Window
Figure 7-2 Add a rule control block
Fill in the name in the Add Control Block window, as much as possible, can be defined as 192.168.1.2 to192.168.112.8. Fill in the description of the name: You can use the protocol used by the rule to fill in the protocol used by the Rule 192.168.1.2 Access 192.168.112.8. This adds the content in the window as shown in Figure 7-9.
Figure 7-9 Add rule control block example -a
B. Add the rules of the packet sent by 192.168.1.2 through the firewall.
In the window where the 'add' button is clicked in the window, pop up the detailed attribute shown in Figure 7-3 is used to add a detailed property in the rules, fill in the item: Figure 7-3 Add a rule Detailed properties in
Name, define the name of this rule, can be inbound, indicating that the packet enters the firewall. Description, a more detailed name of the rule can be defined as IP Packet Inbound FireWall. Source address, source address mask: The packet is sent by the 192.168.1.2 address, so the address of 192.168.1.2 as the source address, because it is identified a host, so its address mask is 255.255.255.255. Source port: The source host can use any port to access the 21 port of the host, so it is filled in any port and is represented by 0. Source port operation: Choose! = (Not equal), with the source port, indicates an arbitrary port of anyone equal to 0. Destination address and destination address mask: Although this rule indicates that the packet is a process reaching the firewall, its final destination address is 192.168.112.8, so the destination address should be filled in 192.168.112.8, and the address mask is still available with 255.255.255.255. It is said that it is a host. Destination Port: Detailed description in the rules, this rule describes the FTP port of the access destination address 192.168.112.8, so you should fill in 21. Destination Port Operation: It limits the port with the destination port, because the port used here is clear, the FTP port is determined, the '= 21', so the operator of the source port operation is '='. Interface Name: As shown in the arrow of Figure 7-8, the step of this rule defined is the Eth1 through the network interface card Eth1, so it is filled in the Eth1. NIC security logo: This parameter and interface name match, indicate the security ID of the NIC, because Eth1 is in the LAN area in the security NIC, so it is filled in the LAN here. Routing setting: The packet is passed through the firewall, not only to the firewall, and the firewall acts at this time, so I choose ROUTE. Direction: The packet is sent to the firewall, and its direction is to enter the firewall, so for Inbound. Tunnel logo: Can not be filled. Record the log: Select the log log, here is selected from the drop-down menu. Source Routing: Select Reject, reject the packet selection source route. This is the default parameter of the system, it is recommended. Allows card: Select FRAG_NO, which is also the system default value. Operation: Select Accept (Accept), that is, the data package that meets the above conditions is allowed. Redirect port: Since the ACCEPT is selected, there is no need to re-direction port, so this parameter will be grayed without work. All parameter definitions are complete, as shown in Figure 7-10 below.
Figure 7-10 Configure the parameters examples of the package filtering rules -B
Click the 'OK' button, then a rule is added successfully. The window as shown in Figure 7-11 will pop up, which can be found that this window is similar to 7-9, just adding a new rule in the rule, which is inbound.
Figure 7-11 Add a new rule in the rule control block
This rule details the transfer process and restrictions of the packet by this rule: allows packets from 192.168.1.2 host through the security NIC Eth1 through the LAN area through the firewall access 192.168.112.8 host 21 port.
C. Add the rule of the 192.168.112.8 host 21 port through the packet of the firewall. After adding the rules of 192.168.1.2 through the firewall, will return to the window interface of Figure 7-11, continue to click the 'Add' button in the window, pop up the data of the window that passes through the firewall when the window is displayed. The package continues to be sent to the rules of the host 192.168.112.821. Fill in the following item in the window interface: Name, define the name of this rule, can be Outbound, indicating that the packet is sent from the firewall. Description, a more detailed name description of the rules can be defined as the IP Packet Outbound FireWall. Source address, source site mask: Here, please note that although the data packet is passed through the firewall, it is sent from the firewall, but the packet is initially sent by 192.168.1.2 address, so the address of 192.168.1.2 is still active as a source address Therefore, its address mask is still 255.255.255.255. Source port: Still either for any port, use 0. Source port operation: Still choice! = (Not equal), with the source port, indicates an arbitrary port of anyone equal to 0. Destination address and destination address mask: The final destination address is 192.168.112.8, so the destination address should be filled in 192.168.112.8, and the address mask is still used in 255.255.255.255 to represent a host. Destination port: The port does not change and should be filled in 21. Destination Port Operation: The same is '= 21', so the operator of the destination port operation here is '='. Interface Name: As shown in the arrow of Figure 7-8, the step of this rule definition is that after the packet is passed through the firewall, the firewall sends the packet to the destination, and the network interface card is eth0, so here fill in Eth0 . NIC security logo: The same is the same as the interface name, indicating the security ID of the NIC, because Eth0 belongs to the non-annual network card, so here fill in the unsec. Routing setting: The packet is issued by the firewall, transmitting the packet through the firewall host, and is transferred to other hosts, the destination is the remote, so select ROUTE. Direction: The packet is transmitted from the firewall to the external network, and the direction is flowing from the firewall, so it is Outbound. Tunnel ID: Can still be fill, stay VPN use. Record the log: Select the log log, here is selected from the drop-down menu. Source Routing: Select Reject, reject the packet selection source route. This is the default parameter of the system, it is recommended. Allows card: Select FRAG_NO, which is also the system default value. Operation: Select Accept (Accept), that is, the data package that meets the above conditions is allowed. Redirect port: Since the ACCEPT is selected, there is no need to re-direction port, so this parameter will be grayed without work. All parameter definitions are completed, as shown in Figure 7-12 below.
Figure 7-12 Example of the parameters of the package filter rule -C
Click the 'OK' button, then a rule is added successfully. The window shown in Figure 7-13 will pop up, which can be found that this window is more than one new rule in the rules, named Outbound.
Figure 7-13 New addition of two rules in the rule control block
Summary: Click the 'OK' button in the window in Figure 7-13, that is, the rule customization in Example 1 (name is 192.168.1.2 to 192.168.112.8): Allows 192.168.1.2 hosts in the network to access another network segment 192.168.112.8 Host FTP ports. Since the custom rules are divided into two steps, the rules contain two sub-rules (INBOUND and OUTBOUND). 2. Customize the rules in Example 2, Example 2 differs from the ports different from the example 1, so the step of setting the rule is substantially the same as that, only the corresponding port is changed to each port number, respectively. . The corresponding port is:
HTTP 80
POP3 110
Telnet 23
SMTP 25
3. As in Example 3, if you want to make a network segment Telnet to a host, the process of custom rules is roughly the same as the custom step 1, just change the source address to the address of this network segment, address 192.168.1.0, address mask 255.255.255.0 represents a network segment; the destination address is 192.168.2.2, indicating a host, the address mask is 255.255.255.255, and use the corresponding Telnet port. The added rules are shown in Figure 7-14.
Figure 7-14 Example 3 of the attributes in the rules -B
As in step 1 of customization rules, customization This rule also requires two sub-rule control blocks in detail in a rule, and the properties in another sub-control block are also required. Among them, the source address is still the address of this network segment, address 192.168.1.0 address mask 255.255.255.0 represents this network segment; the destination address is still 192.168.2.2, indicating a host, the address mask is 255.255. 255.255, and use the corresponding Telnet port; this sub-control block is used to limit access from the firewall to the DMZ area. The network card is eth2, and the security identifies the DMZ area in the secure network, so these items describe step c Each attribute is different. The various properties are shown in Figure 7-15.
Figure 7-15 Example 3 of the attributes in the rule -C
The above is a brief introduction to the operational rule of the configuration accepting the packet, and the example is limited, but it can be seen in the examples that according to the actual desired, clarify the meaning of the parameters, it is not difficult to customize various types of rules. If you have any questions, we will continue to exemplify the various types of rules.
Configure rule examples for rejecting (DENY) packets
Typically, the default rules in the firewall rules are the processing operations that are rejected for the packet, and the process of rejecting is such that the package is filtered when filtered the packet, performs each rule in the packet in the rule in the rule list. Comparison, if the more information obtained is in any of the rule tables, that is, the firewall will define the content acceptable in the package filter, reject the pass or redirection of the packet to other ports, which is taken to take these three operations. The species will be treated in strict accordance with the rules of rules. Then if you queries no rules, the firewall will use the default rules to refuse to process the packet. It is because the firewall will use the default rule to refuse to accept the packet, and some people may think that there is no special custom refusal packet in the rule. In fact, we still need customization for special rejection rules. Because of the previously said, when the default rule refuses to process packets, the previous custom rules have been used in sequence, in which these rules may have rules that meet certain information in the packet, This packet can be processed according to the rules, which may be accepted or redirected to other ports, so that the packet is not rejected but is accepted. This may bring unsafe hidden dangers to the system. This is also quite critical to the order of the package filtration mentioned in the feature of the package filtration. Therefore, it is also important to develop the package filter rules that reject the packet processing, and the rules of the denial of the packet should be particularly special, and they should be accepted and redirected to the front of these unscrupulous rules. There are many cases of demand examples to refuse to process packet processing. For example: External non-secure networks do not allow access to internal security networks. The translation is the rule is: the LAN network segment (192.168.1.0) refuses from an external network (0.0.0.0 because the external network address is not unprofitted, diverse, with 0.0.0.0 can be arbitrarily).
Customization rules will be made to the examples in the demand examples to formulate corresponding rules.
In the example, please note that the process of its access is opposite to the arrows of Figure 7-8. The process is also divided into two steps, and the following detailed description:
First, double-click the "Rule Settings" item under the "Packet Filter" icon in the Configuration Management main interface navigation directory, pop up the Pack Filter Rule Settings window, as shown in Figure 7-1, click 'Add in the window The 'button will pop up the Add Rule Control Block window as shown in Figure 7-2.
Fill in the name in the Add Control Block window, as much as possible, can be defined as Deny Wan. Description of the name: You can use the protocol used by the rule for Deny Wan to Access 192.168.1.0. This adds the content in the window as shown in Figure 7-16.
Figure 7-16 Add Rule Control Block Example -A
B. Add the rules of the packets from the external network through the firewall.
In the window of Figure 7-16, the 'add' button is popped up, popping up as shown in Figure 7-3 is used to add a detailed property in the rules, and fill in the items:
Name, define the name of this rule, which can be inbound. Description, a more detailed name of the rule can be defined as IP Packet Inbound FireWall. Source address, source address mask: The packet is sent by external network, so it is 0.0.0.0 as a source address, and its address mask is also 0.0.0.0. Source port: Because the source address is arbitrary, the source port is also an arbitrary port, which is represented by 0. Source port operation: Choose! = (Not equal), with the source port, indicates an arbitrary port of anyone equal to 0. Destination address and destination address mask: This rule final destination address is network segment 192.168.1.0, so the destination address should be filled in 192.168.1.0, and the address mask is used to represent a network segment. Destination Port: Because external network access LAN, you can access its arbitrary port, so the destination port is any port, indicated by 0. Destination Port Operation: Choose! = (Not equal), with the destination port, indicating an port of anyone equal to 0. Interface Name: Step of this sub-rule defined by the packet to access the firewall through the non-secure network interface card Eth0, so you can fill in the Eth0 here. NIC security logo: Eth0 is a non-secure NIC, so its security logo is unsec. Routing setting: Packets pass through the firewall, rather than only send to the firewall, the firewall plays to the role of the route, so select Route. Direction: The packet is sent to the firewall, and its direction is to enter the firewall, so for Inbound. Tunnel logo: Can not be filled. Record the log: Select the log log, here is selected from the drop-down menu. Source Routing: Select Reject, reject the packet selection source route. This is the default parameter of the system, it is recommended. Allows card: Select FRAG_NO, which is also the system default value. Operation: Select Deny, which refuses to match the above-mentioned conditions. Redirect port: Because of the operation of Deny, it is not necessary to redirect ports, so this parameter will be grayed without work. All parameter definitions are completed, as shown in Figure 7-17 below. Figure 7-17 Examples of the parameters of the configuration package filtering rules -B
Click the 'OK' button, then a rule is added successfully. The window shown in Figure 7-18 will pop up, add a new rule to the rule, which is inbound.
Figure 7-18 Add a new rule in the rule control block
This rule details the transfer process and restrictions of the packet: Declined the data packet of any address 0.0.0.0 through the non-secure NIC ETH0 through the firewall to access 192.168.1.0 network segment.
Add the above rules, customizing the rules from external network access have been completed, because the firewall intercepts all the addresses from the external network based on this rule, and will not let data at all. The package continues through other NIC, such as Eth1. So the following step c may not continue to add, but it is also possible to ensure that the package filter is more secure.
C. At the window interface as shown in Figure 7-18, click the 'Add' button in the window to continue adding the sub-control block, popping up the window as shown in Figure 7-3. Fill in the following items in the window interface:
Name, define the name of this rule, can be Outbound. Description, a more detailed name description of the rules can be defined as the IP Packet Outbound FireWall. Source address, source address mask: The packet is sent by external network, so it is 0.0.0.0 as a source address, and its address mask is also 0.0.0.0. Source port: Because the source address is arbitrary, the source port is also an arbitrary port, which is represented by 0. Source port operation: Choose! = (Not equal), with the source port, indicates an arbitrary port of anyone equal to 0. Destination address and destination address mask: This rule final destination address is network segment 192.168.1.0, so the destination address should be filled in 192.168.1.0, and the address mask is used to represent a network segment. Destination Port: Because external network access LAN, you can access its arbitrary port, so the destination port is any port, indicated by 0. Destination Port Operation: Choose! = (Not equal), with the destination port, indicating an port of anyone equal to 0. Interface Name: Step of this sub-rule definition The packet is through the secure network interface card Eth1, so it is filled in the Eth1 here. NIC security logo: Eth1 is the LAN area of the security network card, so its security logo is LAN. Routing setting: The packet is sent by the firewall, transmitting the packet through the firewall host, and is transferred to other hosts, the destination is the remote, so select ROUTE. Direction: The packet is transmitted from the firewall to the LAN, and the direction is flowing from the firewall, so it is Outbound. Tunnel ID: Can still be fill, stay VPN use. Record the log: Select the log log, here is selected from the drop-down menu. Source Routing: Select Reject, reject the packet selection source route. This is the default parameter of the system, it is recommended. Allows card: Select FRAG_NO, which is also the system default value. Operation: Select Deny, which refuses to match the above-mentioned conditions. Redirect port: Select Deny's operation, no need to re-direction, so this parameter will be grayed without work. All parameters are defined, as shown in Figure 7-19 below.
Figure 7-19 Examples of the parameters of the package filtering rules -C
Click the 'OK' button, then a rule is added successfully. The window as shown in Figure 7-20 will pop up, name Outbound.
Figure 7-20 Newly added two rules in the rule control block
Summary: Click the 'OK' button in the window of Figure 7-20, that is, the rule customization in Example 1 (name is DENY): Reject any host access network segment 192.168.1.0 in the external network. Since the custom rules are divided into two steps, the rules contain two sub-rules (INBOUND and OUTBOUND).
The above is a brief introduction to the operational rules of the configured denial packet.
Configure the rule example of the Divert packet
Use the packet to redirect, primarily applied in the agent. In the design plan of the Oriental Longma firewall, the DMZ (non-military zone) area is set in the secure network to isolate a specific server, and various servers can be placed in the DMZ area, such as WWW servers, FTP servers, SMTP and other various kinds. server. These servers provide HTTP, TELNET, FTP, SMTP, POP3 proxy services, when using these services, simply specifying the redirect port, the packet will continue to transmit and process according to this redirect port. Use the redirection of the data package, but also need to customize the host customization rules for all uses these proxy services. Customization This rule indicates that hosts that use these proxy services or network segment firewalls will redirect to the appropriate service ports and access them by the proxy server. Then you need to define the rules of HTTP, Telnet, FTP, SMTP, POP3.
Customization rules
The following is to customize the HTTP service as an example, the redirected port used is also HTTP, the custom rules process is as follows:
A. First, double-click the "Rule Settings" item under the "Pack Filter" icon in the Configuration Management main interface navigation directory, pop up the Pack Filter Rule Settings window, as shown in Figure 7-1, click in the window The 'Add' button will pop up the Add Rule Control Block window as shown in Figure 7-2.
Fill in the name in the Add Control Block window, as much as possible, can be defined as HTTP. Fill in the description of the name: You can fill in the protocol used by the rule for the Allow All HTTP Traffic, which is the TCP protocol. This adds the content in the window as shown in Figure 7-21.
Figure 7-21 Add Rule Control Block Example -A
B. In the window where the 'add' button in the window is shown in Figure 7-21, pop up the detailed attributes shown in Figure 7-3 for adding the detailed properties in the rules, and fill in the items:
Name, define the name of this rule, which can be inbound. Description, a more detailed name of the rule can be defined as the Allow Inbound Traffic. Source address, source address mask: In the network topology, the internal network (LAN) has the need to use the HTTP proxy service, so the network segment address of the internal network is from 192.168.1.0, 255.255.255.0, respectively. Source port: The source port here can be arbitrary ports and is represented by 0. Source port operation: Choose! = (Not equal), with the source port, indicates an arbitrary port of anyone equal to 0. Destination address and destination address mask: This rule is used as an internal network to access the external network, which is used online, so its external network is uncertain, so it is 0.0.0.0, the address mask is also 0.0.0.0. . Destination Port: Use an HTTP service, only access its specific port, so fill in 80 here. Destination Port Operation: Select = (equal to), with the destination port, indicating a port equal to 80. Interface Name: The step of this sub-rule definition is to access the firewall through the secure network interface card Eth1, so you can fill in the Eth1 here. NIC security logo: Eth1 is a security network card, so its security logo is LAN. Routing setting: Packets pass through the firewall, select Route. Direction: The data package is sent to the firewall, and the direction is to enter the firewall, so it is inbound. Tunnel logo: Can not be filled. Record the log: Select the log log, here is selected from the drop-down menu. Source Routing: Select Reject, reject the packet selection source route. This is the default parameter of the system, it is recommended. Allows card: Select FRAG_NO, which is also the system default value. Operation: Select Redirection (Divert), which will be redirected in accordance with the data packets that meet the above conditions. Redirect port: Redirect port should be with HTTP service ports, so you choose HTTP. All parameter definitions are complete, as shown in Figure 7-22 below. Figure 7-22 Example of the parameters of the configuration package filtering rules -B
Click the 'OK' button, then a rule is added successfully. The window shown in Figure 7-23 will pop up, add a new rule to the rule, which is inbound.
Figure 7-23 Add a new rule in the rule control block
C. At the window interface as shown in Figure 7-23, click the 'Add' button in the window to continue adding the sub-control block, popping up the window as shown in Figure 7-3. Fill in the following items in the window interface:
Name, can be Outbound. Description, it can be defined as an Allow Outbound Traffic. The source address, the source address mask: also is 192.168.1.0, 255.255.255.0, respectively. Source port: You can use 0 to represent 0. Source port operation: Choose! = (Not equal), with the source port, indicates an arbitrary port of anyone equal to 0. Destination address and destination address mask: The address of the external network is uncertain, so 0.0.0.0, the address mask is also 0.0.0.0. Destination Port: Use an HTTP service, only access its specific port, so fill in 80 here. Destination Port Operation: Select = (equal to), with the destination port, indicating a port equal to 80. Interface Name: Step of this sub-rule definition The packet is accessed through the firewall, and the connected network interface card is eth0, so it is filled in Eth0. NIC security logo: Eth0 is a non-secure NIC, so its security logo is unsec. Routing setting: The packet is sent by the firewall. The packet is transmitted through the firewall host, and to other hosts, the destination is the remote, select Route. Direction: The packet is transmitted from the firewall to the LAN, and the direction is flowing from the firewall, so it is Outbound. Tunnel ID: Can still be fill, stay VPN use. Record the log: Select the log log, here is selected from the drop-down menu. Source Routing: Select Reject, reject the packet selection source route. This is the default parameter of the system, it is recommended. Allows card: Select FRAG_NO, which is also the system default value. Operation: Select Redirection (Divert), which will be redirected in accordance with the data packets that meet the above conditions. Redirect port: Redirect port should be with HTTP service ports, so you choose HTTP. All parameter definitions are complete, as shown in Figure 7-24 below.
Figure 7-24 Configure the parameters of the package filtering rules - C
Click the 'OK' button, then a rule is added successfully. The window shown in Figure 7-25 will pop up, name Outbound.
Figure 7-25 Newly added two rules in the rule control block
This defines that the rules of the HTTP service are added, which is the same, customizes the rules such as FTP, SMTP, Telnet, etc., simply modify the corresponding port with the redirected port. To be added to all service rules, each host in the internal network LAN can use the proxy service, through the setting of the rules, the firewall will strictly enter and exit the "restrictions" of these proxy services.
Configuration example summary
The above is illustrated by the configuration pack filtering rules, and the examples have not been detailed, but analyzes each parameter to help users understand the meaning of each parameter concept. In short, according to the actual requirements, clarify the meaning of the parameters, analyze the contents of the defined parameters, and customize various types of rules are very simple and convenient.