Allowing traffic through the firewall, Writing rules for a firewall deployment, Writing rules for a – Force10 Networks PSeries 100-00055-01 User Manual
Page 77
P-Series Installation and Operation Guide, version 2.3.1.2
77
Allowing Traffic through the Firewall
To allow packets through the firewall you must write rules so that packets that you want the appliance to
forward match those rules. Rules can be as simple as allowing traffic destined to a port. Stateful rules can
be used to allow all traffic for an established connection. To allow non-IP traffic to pass through the
firewall, you must select “Yes” for compiler option 2, as described in
.
Sample rules for a firewall deployment are available in file pnic-compiler/rules/fw.rules.
Writing Rules for a Firewall Deployment
Rules for a firewall deployment are written in the same Snort-based syntax as IDS/IPS rules. The
difference is that you must describe packets that you want to forward, rather than block. See
.
In
stateful rules are used to allow specified traffic into the internal network. Notice that in the
incoming direction, the policies require that the packet be destined to a set of allowed ports, while in the
outgoing direction, there is no port requirement. This asymmetry produces typical firewall behavior.
The Drop mode can also accommodate arbitrary rules that do not assume an inside and outside interface.
This is an attractive quality since the notion of inside and outside is often blurred in modern network
topologies. Also note that traditional IPS and IDS rules can be coupled with the firewall rules to block
packets and/or capture suspicious packets.