Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

MSR 1003-8 block incoming ports

This thread has been viewed 0 times

  • 1.  MSR 1003-8 block incoming ports

    Posted Jun 13, 2020 04:40 AM

    I have a MSR 1003-8 that is routing between a public IP on the WAN ethernet 0/0 (e.g. 140.140.8.12) and a public IP range on the LAN ports (e.g. 140.140.9.0/24) - different subnets. I have traffic going in and out ok.

    I would like to block all traffic coming in and then to open one incoming port to the entire LAN subnet.

    Don't appear to be able to do this using the GUI.

    Advice on how to do the ACL setup would be welcome.


    #WAN
    #MSR1000
    #ACL


  • 2.  RE: MSR 1003-8 block incoming ports

    EMPLOYEE
    Posted Jun 13, 2020 04:52 AM

    Hi Mark_Gregory!

    What is your router's model - JG732A or JH060A? Both are 1003-8, the latter hads 'S' at the end and is running Comware 7 insted of 5. Syntax may vary, that is why it is important to clarify. Which protocol's port you need to open - TCP or UDP? It will help to understand your setup if you post configuration of your Eth0/0 (WAN) port. You can remove the IP address if you wish, but I need to see if there is any filtering ACL configured on the port already. From your message it seems like you don't have NAT, but again it is something to be checked before proposing the config. 'display curr int eth0/0' should be enough as a start.

     



  • 3.  RE: MSR 1003-8 block incoming ports

    Posted Jun 13, 2020 09:13 AM

    Thank you for the response. The device is a JG732A.

    It appears that I cannot edit the ACL using the GUI - I cannot see the rules anywhere. In the console I see

    #
    time-range tr3980 00:00 to 24:00 daily

    acl number 3100
    description ExternaltoInternal
    rule 0 permit tcp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 3389
    rule 1 permit udp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 3389
    rule 2 permit tcp destination xxx.xxx.20.64 0 destination-port eq www
    rule 3 permit tcp source xxx.xxx.20.50 0 destination-port eq 22
    rule 4 permit tcp source xxx.xxx.20109 0 destination-port eq 22
    rule 5 permit tcp destination xxx.xxx.20.170 0 destination-port eq 8080
    rule 10 permit tcp destination xxx.xxx.20.170 0 destination-port eq 1723
    rule 15 permit tcp destination xxx.xxx.20.170 0 destination-port eq www
    acl number 3200
    rule 0 permit tcp source xxx.xxx.20.0 0.0.0.255
    rule 1 permit udp source xxx.xxx.20.0 0.0.0.255
    acl number 3980
    step 1
    rule 0 permit ip source xxx.xxx.20.210 0 time-range tr3980

    #
    vlan 1
    #
    vlan 68
    #

    and

    traffic classifier acl3980deny operator or
    if-match acl 3980
    #
    traffic behavior acldeny
    filter deny
    #
    qos policy PolicyLimit
    classifier acl3980deny behavior acldeny

    interface Vlan-interface68
    ip address xxx.xxx.20.254 255.255.255.0
    dhcp server apply ip-pool vlan68
    firewall packet-filter 3200 inbound
    #
    interface GigabitEthernet0/0
    port link-mode route
    description our
    firewall packet-filter 3100 inbound
    ip address xxx.xxx.10.10 255.255.255.240
    qos apply policy PolicyLimit outbound
    attack-defense apply policy 86

    ip route-static 0.0.0.0 0.0.0.0 xxx.xxx.10.13

     

    I suppose what might help, is being pointed to the document that I should follow for this model - something that describes how to add, change and delete ACL for incoming and outgoing traffic. Unfortunately, the GUI is very limited it appears and any help is appreciated.



  • 4.  RE: MSR 1003-8 block incoming ports

    EMPLOYEE
    Posted Jun 13, 2020 11:25 AM

    Ok, so it's a Comware 5 model. From the configuration provided I see that on the WAN Gig0/0 interface you have two packet-filtering entities:

    Inbound is filtered by the ACL 3100.
    Outbound is filtered by QoS policy 'PolicyLimit' that uses ACL 3980 and drops traffic sourced from host xxx.xxx.20.210. Not sure why this construct is so complicated - with time-range, Qos... all kind of bells and whistles, especially taking into account the time range includes all 24 hours... Actually that is why I am not a big fan of GUIs - they produce a code that is not very human-friendly...

    Also you have Attack Defence policy 86 applied, it is not packet-filter per se, but it is something to be considered if some ACL rules don't work as expected, as it can detect some ordinary traffic as false-positive and drop it. It is a good idea to disable it while fine-tuning filtering ACLs. 

    VLAN68 has inbound filter ACL 3200, it is quite promiscuous, as it allows all TCP/UDP traffic from the subnet. I think we can safely ignore it at this moment, unless you think about allowing non-TCP/UDP protocols as ICMP or ESP for your internal clients...

    TBH I never used Web GUI on Comware products as CLI gives you much more flexibility and control, so I can't advise you on that, but I am pretty sure we can achieve what you want using CLI.

    If I understood you correctly, you need to allow a port or several ports from the Internet (inbound on Gig0/0) to your local subnet on VLAN68 (outbound for the interface). For this purpose you need to edit the ACL 3100 as it is the only packet-filtering entity in this direction. The ACL 3100 looks now like:

    acl number 3100
    description ExternaltoInternal
    rule 0 permit tcp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 3389
    rule 1 permit udp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 3389
    rule 2 permit tcp destination xxx.xxx.20.64 0 destination-port eq www
    rule 3 permit tcp source xxx.xxx.20.50 0 destination-port eq 22
    rule 4 permit tcp source xxx.xxx.20109 0 destination-port eq 22
    rule 5 permit tcp destination xxx.xxx.20.170 0 destination-port eq 8080
    rule 10 permit tcp destination xxx.xxx.20.170 0 destination-port eq 1723
    rule 15 permit tcp destination xxx.xxx.20.170 0 destination-port eq www

    As you can see all those statements are 'permit' statements. The traffic that doesn't hit any of those rules hits implicit deny at the end of the ACL. In order to allow something additional you need to add rule/-s after the 15th, I suggest you to number them with step of 10 as 20, 30, 40 etc, so you have place to shim additional rules in the future exactly where you need. Existing rules 0 and 1 can be used as a template for your task, as they allow RDP (tcp:3389 and udp:3389) for the whole VLAN68 subnet, just change 'destination-port' numbers to the ports you need to allow, for example if you need to allow Telnet for the whole subnet, the new rule will be:

    rule 20 permit tcp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 23

    etc.

    In order to add the rule to the ACL, open up a CLI session, then:

    system-view
    acl number 3100
    rule 20 permit tcp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 23
    ...
    <add as many rules as needed, every new rule's number should be +10 (rule 20, rule 30, rule 40 etc...)>
    quit

    Then test the ACL by initiating a traffic from the Internet on certain ports. If something doesn't work, don't rush to blame the ACL, instead run a Wireshark on the local host that is the destination for the traffic and see if the host really doesn't receive anything.

    Don't forget to save the configuration ('save force' command) as soon you confirm the ACL works according your expectations.


    Please, let me know if you need any help with rules creating - ACLs sometimes get tricky...

    P.S. Useful guide to learn more about CLI configuration of ACLs and QoS - https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c02659226

     



  • 5.  RE: MSR 1003-8 block incoming ports

    Posted Jun 25, 2020 08:49 AM

    thank you Ivan_B. I've simplified the ACLs used to the following

    acl number 3100
    description ExternaltoResearchnet
    rule 0 permit tcp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 3389
    rule 1 permit udp destination xxx.xxx.20.0 0.0.0.255 destination-port eq 3389
    rule 3 permit tcp source xxx.xxx.9.5 0 destination-port eq 22
    rule 4 permit tcp source xxx.xxx.10.5 0 destination-port eq 22
    acl number 3200
    description ResearchnettoExternal
    rule 0 permit tcp source xxx.xxx.20.0 0.0.0.255
    rule 1 permit udp source xxx.xxx.20.0 0.0.0.255

    I have three questions.

    1. I would like to confirm that any traffic that does not match a rule in ACL 3100 will be denied entry to the VLAN 68 from the WAN - you mentioned this, but I would like to confirm that I don't need to any more to block all incoming traffic other than what is in ACL 3100

    2. for outgoing ACL 3200 on VLAN interface how do I block an individual IP from being able to access the internet? Previously I used ACL 3980 to do this - it is a way I found in the GUI to do this using the time based access. If I use the GUI ACL Ipv4->Advanced Config and try to add

    rule 2 deny IP source xxx.xxx.20.210 255.255.255.255

    the GUI changes this to

    rule 2 deny IP

    3. I would like to block outgoing ports e.g. 53 for VLAN 68 - I think I can see how to do this, but I think I should tackle point 2 before I try to block outgoing ports.

    I appreciate the guidance, I'm learning how to get this device setup.