35. Firewall
ROX™ v2.2 User Guide 375 RuggedBackbone™ RX5000
35.3.6. Rules
The default policies can completely configure traffic based upon zones. But the default policies cannot
take into account criteria such as the type of protocol, IP source/destination addresses and the need to
perform special actions such as port forwarding. The firewall rules can accomplish this.
The ROX™ firewall rules provide exceptions to the default policies. In actuality, when a connection
request arrives, the rules file is inspected first. If no match is found then the default policy is applied.
Rules are of the form:
Action Source-Zone Destination-Zone Protocol Destination-Port Source-Port Original-Destination-IP
Rate-Limit User-Group
Actions are ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, REDIRECT-, CONTINUE, LOG
and QUEUE. The DNAT-, REDIRECT-, CONTINUE, LOG and QUEUE actions are not widely used
used and are not described here.
Action Description
ACCEPT Allow the connection request to proceed.
DROP The connection request is simply ignored. No notification is made to the requesting client.
REJECT The connection request is rejected with an RST (TCP) or an ICMP destination-unreachable packet being
returned to the client.
DNAT Forward the request to another system (and optionally another port).
REDIRECT Redirect the request to a local tcp port number on the local firewall. This is most often used to “remap”
port numbers for services on the firewall itself.
Table 35.7.
The remaining fields of a rule are as described below:
Rule Field Description
Action The action as described in the previous table.
Source-Zone The zone the connection originated from.
Destination-Zone The zone the connection is destined for.
Protocol The tcp or udp protocol type.
Destination-Port The tcp/udp port the connection is destined for.
Source-Port The tcp/udp port the connection originated from.
Original-Destination-IP The destination IP address in the connection request as it was received by the firewall.
Rate-Limit A specification which allows the rate at which connections are made to be limited.
Table 35.8.
Some examples will illustrate the power of the rules file:
Rule Action Source-Zone Destination-Zone Protocol Dest-Port Source-
Port
Original-Destination-IP
1 ACCEPT net:204.18.45.0/24 fw
2 DNAT net loc:192.168.1.3 tcp ssh, http
3 DNAT net:204.18.45.0/24 loc:192.168.1.3 tcp http - 130.252.100.69
4 ACCEPT fw net icmp
5 ACCEPT net:204.18.45.0/24 fw icmp 8
Table 35.9.
1. This rule accepts traffic to the firewall itself from the 204.18.45.0/24 subnet. If the default policy is to
drop all requests from net to the firewall, this rule will only accept traffic from the authorized subnet.
2. This rule forwards all ssh and http connection requests from the Internet to local system 192.168.1.3.
To Next Page
Loading...
Need help?
General
