35. Firewall
ROX™ v2.2 User Guide 376 RuggedBackbone™ RX5000
3. This rule forwards http traffic from 204.18.45.0/24 (which was originally directed to the firewall at
130.252.100.69) to the host at 192.168.1.3 in the local zone. If the firewall supports another public
IP address (e.g. 130.252.100.70), a similar rule could map requests to another host.
4. and 5. These rules allow the firewall to issue icmp requests to the Internet and to respond to icmp
echo requests from the authorized subnet.
Each of the Source and Destination zones may use one of the defined zone names, or one may select
"Other..." and specify a zone name in the text field to the right. Both Source and Destination may be
further qualified using the Only hosts in zone with addresses fields. Multiple comma-separated subnet,
IP, or MAC addresses may be specified in the following way:
• IP subnet: 192.168.1.0/24
• IP address: 192.168.1.1
• IP address range: 192.168.1.1-192.168.1.25
• MAC address: ~00-A0-C9-15-39-78
35.4. Configuring The Firewall And VPN
35.4.1. Policy-based Virtual Private Networking
Begin configuration by creating local, network and vpn zones. Identify the network interface that carries
the encrypted IPSec traffic and make this interface part of zone “ANY” in the interfaces menu as it will
be carrying both traffic for both zones.
Visit the Host menu and, for the network interface that carries the encrypted IPSec traffic, create a zone
host with zone VPN, the correct subnet and the IPSec zone option checked. If you plan to have VPN
tunnels to multiple remote sites ensure that a zone host entry exists for each (or collapse them into
a single subnet). Create another zone host for the same interface with a network zone, using a wider
subnet mask such as 0.0.0.0/0. It is important that the vpn zone be declared before the net zone since
the more specific vpn zone subnet must be inspected first.
Host Zone Interface Subnet IPSec Zone?
vpn w1ppp 192.168.1.0/24 Yes
net w1ppp 0.0.0.0/0 No
Table 35.10.
The IPSec protocol operates on UDP port 500 and using protocols Authentication Header (AH) and
Encapsulating Security Payload (ESP) protocols. The firewall must accept this traffic in order to allow
IPSec.
Action Source-Zone Destination-Zone Protocol Dest-Port
ACCEPT net fw ah
ACCEPT net fw esp
ACCEPT net fw udp 500
Table 35.11.
IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon. Openswan then decrypts
the traffic and forwards it back to the ROX™ firewall on the same interface that originally received it.
You will also need a rule to allow traffic to enter from this interface.
Action Source-Zone Destination-Zone Protocol Dest-Port
ACCEPT vpn loc
Table 35.12.
To Next Page
Loading...
Need help?
General
