4 Replies Latest reply on Jan 29, 2014 5:58 AM by david

    Firewall question

    jwink New Member

      Hello, I am slowly learning the Adtran OS but have a question about firewall.   For the config below I get firewall statements such as "X.X.X.X. blocked on port xxx from default policy class" or something to that effect on the 0/2.20 subinterface.   I am trying to be completely non blocking on that sub interface yet I see these statements.  Can someone shed some light on this please?  I was directed to leave the access-policy off to be non blocking, have I been misinformed?   E 0/1 has access-policy Public.

       

      Thanks in advance, I always find the right answers here.

       

       

      interface eth 0/2

        description Voice and LAN

        encapsulation 802.1q

        no shutdown

      !

      interface eth 0/2.1

        description Voice VLAN

        vlan-id 1 native

        ip address  192.168.0.1  255.255.255.0

        access-policy Private

        qos-policy in SET_DSCP

        no shutdown

      !

      interface eth 0/2.20

        description To Customer Firewall WAN Port

        vlan-id 20

        ip address  216.x.x.x 255.255.255.252

        no shutdown

        • Re: Firewall question
          jayh Hall_of_Fame

          By default anything not allowed by a policy is denied.  Add a policy to the ethernet 0/2.20 interface and allow it to and from Public.  Best practice is to limit the ability to spoof addresses not part of the subnet.  This catches malware and some forms of attack traffic.

           

          interface eth 0/2.20

            description To Customer Firewall WAN Port

            vlan-id 20

            ip address  216.x.x.x 255.255.255.252

            access-policy Firewall-WAN

            no shutdown

           

          ip access-list extended fw-out-list

            remark firewall out anti-spoofing

            permit ip 216.x.x.x 0.0.0.3 any

           

          ip access-list extended fw-in-list

            remark firewall in anti-spoofing

            deny ip 216.x.x.x 0.0.0.3 any

            permit ip any 216.x.x.x 0.0.0.3

           

          ip policy-class Firewall-WAN

            allow list fw-out-list policy Public

           

          ip policy-class Public

            allow list fw-in-list policy Firewall-WAN

          • Re: Firewall question
            david Employee

            Jim,

             

            Thanks for posting!   I just wanted to add a couple more details about the behavior of our unit when the firewall is turned on, but no access-policy is applied to a routed interface.  When no access-policy is applied, traffic enters the "default policy-class" which is just includes a "stateful" allow rule.  Stateful vs. stateless processing is defined in the following document.

             

            Configuring the Firewall (IPv4) AOS

             

            Stateful processing is needed for any ALG or proxy type function in the unit, and also serves to prevent several types of "attacks" also defined in the document above.  However, if you want stateless processing, you would need to specifically configure it on the unit.  Below is a short example.

             

            interface eth 0/2.20

              vlan-id 20

              ip address  216.x.x.x 255.255.255.252

              ip access-policy PublicLAN

              no shutdown

            !

            ip access-list extended MatchAll

              permit ip any any

            !

            ip policy-class PublicLAN

              allow list MatchAll stateless

             

             

             

            Thanks!

            David

            • Re: Firewall question
              david Employee

              Jwink,

               

              I went ahead and flagged this post as "Assumed Answered".  If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

               

              Thanks!

              David