Security

Reply
Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Firewall policy specify port as source or destination

[ Edited ]

Hello all,

 

I am reading how to create Firewall policy and I see something like user any udp 68 deny, but how can I know if this is source or destination port number, and how can I configure port and destination ports specifically ? If I added two port numbers will the first one be source PN and second as destination PN.

 

In addition, does each policy has an implecit deny?

                              

in the campus configureation document release 8, when they define the employee role they have four polices in this role:

1- common

2-sip

3-ocs

4-allow all (predifined)

 

if common will have implicit deny at the end this mean  nothing will reach the remaining policies,

 

if common will not have explicit deny at the end and it will exist at the end of allow-all then why aruba defined a permit to certain DNS server IF they are not going to deny traffic to other dns servers.:-

 

the following is from aruba document:

MC1-Sunnyvale-3600

!

ip access-list session common

user any udp 68 deny

any any svc-dhcp permit

any any svc-icmp permit <-- allow icmp 0

user alias dns-servers svc-dns permit

!

 

I belive we need also (at the end of the above red lines),

 

any any icmp deny

user any svc-dns deny

 

 

can someone classify if I am right or how aruba denied other DNS traffic ?

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Re: Firewall policy specify port as source or destination

will anyone respond to this topic from the administrators/moderators ?

Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: Firewall policy specify port as source or destination

Sorry for not answering your question the first time:

 

You can only specify a source, destination and a destination port (no source port).  It is implied to mean ANY source port.

 

In the example "user any udp 68 deny", it is denying traffic from any user in the user table,  to anywhere via udp port 68.  Specifically it is denying users from answering DHCP request from other devices.

 

There IS an implicit deny all at the end of all firewall policies.

 

If there is an allow all somewhere in the policy, that means all traffic is allowed at that point and no other rules will be processed.  All traffic will be allowed.

 

In the access list below, traffic is allowed to a specific set of DNS servers, but all other traffic (dns or otherwise) will be denied by the implicit deny at the end of all access lists.  I hope this helps and let us know if you have any further questions.

 

 

ip access-list session common
user any udp 68 deny
any any svc-dhcp permit
any any svc-icmp permit <-- allow icmp 0
user alias dns-servers svc-dns permit

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 135
Registered: ‎07-06-2012

Re: Firewall policy specify port as source or destination

" In the access list below, traffic is allowed to a specific set of DNS servers, but all other traffic (dns or otherwise) will be denied by the implicit deny at the end of all access lists "

 

In this case why we have (sip-policy) & allow-all in the same user-role if the packet is not going to reach them ?!

Guru Elite
Posts: 20,582
Registered: ‎03-29-2007

Re: Firewall policy specify port as source or destination

At the end of the LAST policy is an explicity deny.  If you have four policies attached to a role, the end of the fourth policy is an explicit deny.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: