Firewall cli commands, Firewall cli commands -19 – Enterasys Networks Security Router X-PeditionTM User Manual

Firewall CLI Commands

XSR User’s Guide 16-19

Firewall CLI Commands

The XSR provides configuration objects which, used in policy rules, can be specified at the CLI.
These and other firewall commands are, as follows:

•

Network - Identifies a network or host. A network with a subnet address or a host with an
address and 32-bit mask is specified with

ip firewall network

. The command also

configures a network or host residing on the trusted/internal or un-trusted/ external
network.

You can configure a network object from an internal address to any address on the Internet as
follows:

XSR(config)#ip firewall network Any_address 1.0.0.1 255.255.255.254 external

or

XSR(config)#ip firewall network Internet 0.0.0.0 mask 0.0.0.0 external

•

Network group - Defines a group of network objects - you can group up to ten for simpler
configuration referenced by a single name with

ip firewall network-group

. The intrinsic,

pre-defined ANY_EXTERNAL and ANY_INTERNAL groups are maintained automatically by
the firewall as long as you have defined at least one other internal or external group.

•

Service - Specifies an application’s protocol and source/destination ports with

ip firewall

service.

Packets with the source port in the specified range will match this service as will

packets with the destination port. TCP and UDP protocols are supported. Intrinsic services for
all ports are ANY_TCP for TCP port ranges, and ANY_UDP for UDP port ranges.

•

Service group - Aggregates a number of service objects with

ip firewall service-group

.

Typically, the service-group name is the specified application. You can group up to 10 objects.

•

Policy - Defines which applications can traverse the firewall and in which direction with

ip

firewall policy

. Packets which match addresses and service are processed by these actions:

allow, allow-auth, reject, log, reject, cls, etc. Configuration must observe these rules:

–

Any address combination - You can define network addresses as follows: external to
internal, internal to external, and internal to internal. External to external is not supported.

–

Rule order - Earlier entered rules take precedence.

–

Deny All for Unicast packets - The XSR firewall observes a DENY ALL default policy. So,
unless explicitly allowed, all packets are dropped both ways.

–

You should set a rule at the end of your configuration to handle default behavior in a
specific direction. For example, in order to allow all packets from internal to external
except for Telnet and FTP packets, rules for these applications must be defined first.

Then you must define a rule allowing access to ANY_INTERNAL source and
ANY_EXTERNAL destination for any service. These values are case-sensitive.

Caution: Use care not to overlap internal and external address ranges since internal ranges take
precedence over external ranges, and if an address exists in both ranges, the internal address will
be considered for policy matching. In certain situations this may cause unexpected results,
specifically if the other address in a policy is also internal and you expect a match for a policy rule
to use that internal address against a wildcard such as ANY_EXTERNAL as the second address.
This rule will not be matched if the address you expect to be part of ANY_EXTERNAL is also
defined in an internal address range.