User Tools

Site Tools


latex2wiki:user_manual:firewall

Firewall

Firewall Terminology and Concepts

For security purposes, a router can be configured to inspect the forwarded network traffic and take certain actions. Those actions are based on a set of rules called “firewall rules”. Each firewall rule has a matching criteria (e.g., source and destination address), and an action. Typical actions are to allow or deny the forwarding of the packets that match the rule.

Configuring Firewall Rules

Firewall configuration can contain many rules. The rules are evaluated in certain order for each incoming packet. In XORP the configuration rules are numbered, and rules with smaller number are evaluated first. On certain systems (e.g., FreeBSD) the largest rule number is limited by the system to 655341), therefore the XORP configuration shouldn’t include rule numbers that are larger. Currently (July 2008), firewall configuration is supported only for *BSD and Linux 2).

Configuration Syntax

The available configuration syntax for firewall rules is as follows 3):

firewall {
  rule4 int(1..65534) {
    action: text
    protocol: int(0..255)
    source {
      interface: text
      vif: text
      network: IPv4/int(0..32)
      port-begin: int(0..65535)
      port-end: int(0..65535)
    }
    destination {
      network: IPv4/int(0..32)
      port-begin: int(0..65535)
      port-end: int(0..65535)
    }
  }
  rule6 int(1..65534) {
    action: text
    protocol: int(0..255)
    source {
      interface: text
      vif: text
      network: IPv6/int(0..128)
      port-begin: int(0..65535)
      port-end: int(0..65535)
    }
    destination {
      network: IPv6/int(0..128)
      port-begin: int(0..65535)
      port-end: int(0..65535)
    }
  }
}
Keyword Description
firewall This delimits all the firewall configuration information within the XORP configuration file.
rule4 This delimits the configuration of a particular IPv4 firewall rule. The parameter is the rule number and must be in the interval [1..65534].
rule6 This delimits the configuration of a particular IPv6 firewall rule. The parameter is the rule number and must be in the interval [1..65534]. The IPv6 rule configuration is similar to the IPv4 configuration, except that IPv6 addresses are used instead of IPv4 addresses (where applicable). Note that on certain systems (e.g., FreeBSD-7.0 with ipfw) the firewall rule numbers for IPv4 and IPv6 use same number space. Therefore, the rule4 and rule6 rule numbers in the XORP configuration should also be chosen from the same number space.

IPv4 Rule Specific Configuration

For each IPv4 rule, the following configuration is possible:

Keyword Description
action This is the action that should be applied on packets that match the rule.
This field is mandatory.
It is a string with one of the following values:
none No action. Continue the evaluation with the next rule.
pass Pass the matching packets.
drop Drop the matching packets.
reject Reject the matching packets (i.e., drop them and try to send back the appropriate ICMP unreachable notice). Note that some systems don’t support this mechanism; on such systems reject is equivalent to drop.
Keyword Description
protocol This field specifies the IP protocol number as defined by IANA, and is an integer value in the interval [0..255]. For example, TCP protocol number is 6, and UDP protocol number is 17. If it is set to 0 (the default value), all protocols are matched.
source This delimits the configuration of the matching criteria the is related to the source of the packet.
destination This delimits the configuration of the matching criteria the is related to the destination of the packet.
Source Specific Configuration
Keyword Description
interface This parameter is the name of the interface the packet arrives on. Only packets arriving on that interface will pass this criteria. The value must be either the name of an interface known to the router forwarding path or an empty string (i.e., any interface). The default value is an empty string.
vif This parameter is the name of the vif on the corresponding interface the packet arrives on. Only packets arriving on that vif will pass this criteria. The value must be either the name of a vif that belongs to interface and is known to the router forwarding path or an empty string (i.e., any interface). The default value is an empty string.
network This parameter specifies the source network address prefix. The value is in the form of an IP address and prefix-length in the address/prefix-length format. Only packets with source address that belong to this address prefix will pass this criteria. The default value is 0.0.0.0/0, i.e., any source address.
port-begin This parameter specifies the lower bound of the source port number interval, and is an integer value in the interval [0..65535]. It applies only for TCP and UDP packets. Only packets with source port number that is equal or larger than port-begin will pass this criteria. In other words, the source port number must be in the interval [port-begin..port-end]. The default value is 0.
port-end This parameter specifies the upper bound of the source port number interval, and is an integer value in the interval [0..65535]. It applies only for TCP and UDP packets. Only packets with source port number that is equal or smaller than port-end will pass this criteria. In other words, the source port number must be in the interval [port-begin..port-end]. The default value is 65535.
Destination Specific Configuration
Keyword Description
network This parameter specifies the destination network address prefix. The value is in the form of an IP address and prefix-length in the address/prefix-length format. Only packets with destination address that belong to this address prefix will pass this criteria. The default value is 0.0.0.0/0, i.e., any destination address.
port-begin This parameter specifies the lower bound of the destination port number interval, and is an integer value in the interval [0..65535]. It applies only for TCP and UDP packets. Only packets with destination port number that is equal or larger than port-begin will pass this criteria. In other words, the destination port number must be in the interval [port-begin..port-end]. The default value is 0.
port-end This parameter specifies the upper bound of the destination port number interval, and is an integer value in the interval [0..65535]. It applies only for TCP and UDP packets. Only packets with destination port number that is equal or smaller than port-end will pass this criteria. In other words, the destination port number must be in the interval [port-begin..port-end]. The default value is 65535.

Example Configurations

We recommend that the initial firewall configuration uses rule numbers with large interval between (e.g., 100, 200, 300), such that other rules can be inserted later if necessary.

firewall {
  rule4 100 {
    action: "pass"
    protocol: 6 /* TCP */
    destination {
      network: 10.10.10.10/32
      port-begin: 80
      port-end: 80
    }
  }
  rule4 200 {
    action: "drop"
    protocol: 6 /* TCP */
    source {
      interface: "fxp0"
      vif: "fxp0"
      network: 0.0.0.0/0
      port-begin: 0
      port-end: 65535
    }
    destination {
      network: 10.10.0.0/24
      port-begin: 0
      port-end: 1024
    }
  }
  rule4 65000 {
    action: "pass"
    protocol: 6 /* TCP */
  }
}

In the example above, the router has only three firewall rules configured. The first rule (rule 100) will allow all TCP traffic to IP address 10.10.10.10 and TCP port number 80 (i.e., HTTP requests) to pass. The second rule (rule 200) will drop all TCP traffic arriving on interface/vif fxp0/fxp0 if the destination IP address belongs to subnet 10.10.0.0/24 and the destination TCP port number is in the interval [0..1024]. The third rule (rule 65000) will allow all remaining TCP traffic.

Monitoring Firewall Rules

Examples of firewall monitoring include displaying the set of installed firewall rules in the data forwarding plane, or displaying information about the number of packets that have matched a particular firewall rule. Currently (July 2008) XORP doesn’t support monitoring firewall rules. The commands that are provided with the underlying system should be used to monitor the firewall rules (e.g.,ipfw for FreeBSD and iptables for Linux).

1) On FreeBSD with ipfw enabled, rule number 65535 is reserved by the system as the default rule that matches all packets and it cannot be modified or deleted.
2) See file ERRATA from the XORP distribution for additional information how to compile XORP on Linux with firewall support enabled.
3) Currently (July 2008) XORP has only preliminary support to configure firewall rules.
latex2wiki/user_manual/firewall.txt · Last modified: 2011/03/12 14:15 by Pierre Lepropre