User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000

361

362

363

364

365

366

367

368

369

370

332 XSR User’s Guide

Firewall CLI Commands Chapter 13

Configuring Security on the XSR

– You should set a rule at the end of your configuration to handle

default behavior in a specific direction. For example, in order to

allow all packets from internal to external except for Telnet and

FTP packets, rules for these applications must be defined first.

Then you must define a rule allowing access to ANY_INTERNAL

source and ANY_EXTERNAL destination for any service. These

values are case-sensitive.

– Non-Unicast packet handling - Packets with broadcast or multicast

destination addresses are not allowed to pass in either direction -

they must be allowed explicitly.

– This rule makes it easy to deny access to IP broadcast/multicast

packets through the firewall but to allow access, you must issue

the

ip firewall ip-broadcast or ip firewall ip-multicast

commands as well as set policy.

– IP Packets with options - Packets with options are dropped either

way by default. You must permit options explicitly either way.

 Naming conventions - Any firewall object name must use these alpha-

numeric characters only: A - Z (upper or lower case), 0 - 9, - (dash), or

_ (underscore). Also, all firewall object names are case-sensitive.

 TCP/UDP/ICMP Filter - Specifically filters TCP, UDP, or ICMP packets

and assigns an idle session timeout for their inspection, enter

firewall tcp, ip firewall udp,

and ip firewall icmp.

 Non-TCP/UDP Filter - Defines packet filtering of non-TCP and UDP

protocols with

ip firewall filter. Because these packets are

dropped by default, to allow any other IP protocol packet to pass

through the firewall you must specify a filter object with the correct

source/destination IP address and IP protocol ID.

 Java and ActiveX - Allows HTML pages with Java and ActiveX content

through the firewall with the

ip firewall java and ip firewall

activex

commands. Options include allowing from all or selected IP

addresses, or denying from any IP address.

 System Filter - Specifies Interface mode filtering with the

firewall ip-options

(for loose or strict routing through the

Internet, trace routes or record time stamps),

ip-broadcast (for

DHCP, e.g.),

and ip-multicast (for routing) commands.

 Enable/Disable - Turns firewall on or off with

ip firewall {enable |

disable

}. The firewall is set per interface or globally and is disabled

on all interfaces, by default. If the firewall is globally disabled, a local

enable is ignored and if globally enabled, all interfaces are “on”

unless you specifically disable each interface.

Enable displays in the

running-config file, but not disable.