Manualshelf

Pseries Installation Guide

ManualsBrandsForce10 Networks ManualsNetwork CardPSeries 100-00055-01
71727374757677787980
P-Series Installation and Operation Guide, version 2.3.1.2 77
Allowing Traffic through the Firewall
To allow packets through the firewall you must write rules so that packets that you want the appliance to
forward match those rules. Rules can be as simple as allowing traffic destined to a port. Stateful rules can
be used to allow all traffic for an established connection. To allow non-IP traffic to pass through the
firewall, you must select “Yes” for compiler option 2, as described in Table 8 on page 56.
Sample rules for a firewall deployment are available in file pnic-compiler/rules/fw.rules.
Writing Rules for a Firewall Deployment
Rules for a firewall deployment are written in the same Snort-based syntax as IDS/IPS rules. The
difference is that you must describe packets that you want to forward, rather than block. See P-Series Rule
Syntax on page 66.
In Table 25 stateful rules are used to allow specified traffic into the internal network. Notice that in the
incoming direction, the policies require that the packet be destined to a set of allowed ports, while in the
outgoing direction, there is no port requirement. This asymmetry produces typical firewall behavior.
The Drop mode can also accommodate arbitrary rules that do not assume an inside and outside interface.
This is an attractive quality since the notion of inside and outside is often blurred in modern network
topologies. Also note that traditional IPS and IDS rules can be coupled with the firewall rules to block
packets and/or capture suspicious packets.