Manualshelf

Specifications

ManualsBrandsClavister ManualsComputer equipmentEagle E5
41424344454647484950
The destination network in the IP rule is specified as the predefined IP4 Address object all-nets.
This is used since it cannot be known in advance to which IP address web browsing will be
directed and all-nets allows browsing to any IP address. IP rules are processed in a top down
fashion, with the search ending at first matching rule. An all-nets rule like this should be placed
towards the bottom or at the end of the rule set since other rules with narrower destination
addresses should trigger before it does.
Only one rule is needed since any traffic controlled by a NAT rule will be controlled by the cOS
Core state engine. This means that the rule will allow connections that originate from the source
network/destination and also implicitly allow any returning traffic that results from those
connections.
In the above, the predefined service called http-all is the best service to use for web browsing
(this service includes HTTP and HTTPS but not DNS). It is advisable to always make the service in
an IP rule or IP policy as restrictive as possible to provide the best security possible. Custom
service objects can be created for specific protocols and existing service objects can also be
combined into a new, single service object.
The IP rule Action could have been specified as Allow, but only if all the hosts on the protected
local network have public IPv4 addresses. By using NAT, cOS Core will use the destination
interface's IP address as the source IP. This means that external hosts will send their responses
back to the interface IP and cOS Core will automatically forward the traffic back to the originating
local host. Only the outgoing interface therefore needs to have a public IPv4 address and the
internal network topology is hidden.
To allow web browsing, DNS lookup also needs to be allowed in order to resolve URLs into IP
addresses. The service http-all does not include the DNS protocol so a similar IP rule that allows
this is needed. This could be done with a single IP rule or IP policy that uses a custom service
which combines the HTTP and DNS protocols but the recommended method is to create an
entirely new IP rule that mirrors the above rule but specifies the service as dns-all. This method
provides the most clarity when the configuration is examined for any problems. The screenshot
below shows a new IP rule called lan_to_wan_dns being created to allow DNS.
Chapter 4: cOS Core Configuration
43