Novell Home

Packet Filter Exceptions

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 14 Jun 2002
 

Version: BorderManager 3.7

Novell BorderManager 3.7 provides enhanced packet filtering capabilities that can be used to build firewalls that can enforce your access policies and provide security for your employees on the Internet. A firewall is a network component that controls the traffic flowing between internal (private) networks and external (public) networks, such as the Internet. Firewalls can also be used to separate your internal data networks (intranets) to protect valuable company data---research and development, corporate financial data, personnel files, and other sensitive information.

There are two approaches to network security: "Deny all and allow by exception," or "Allow all and deny by exception." The former is in use for packet filters. All traffic to and from the Public interface is blocked by default. Filter exceptions are specifically created for those protocols and services that you wish to allow. Filter exceptions can be universal or they may apply only to specified network addresses or host addresses.

Default Filter Exceptions

The following table shows the default filter exceptions for BorderManager. These allow the proxy/cache and VPN services to function:

Source Interface

Destination Interface

Protocol ID

Port

Source Address

Destination Address

Service

Public

Any

TCP

443

Any

209.94.205.100

SSL Proxy

Public

Any

TCP/UDP

1024-65535

Any

209.94.205.100

Dynamic

Public

Any

TCP

213

Any

209.94.205.100

VPN

Public

Any

TCP/UDP

353

Any

209.94.205.100

VPN

Public

Any

SKIP (57)

All

Any

209.94.205.100

VPN

Public

Any

TCP

80

Any

209.94.205.100

HTTP Proxy

Any

Public

IP

All

209.94.205.100

Any

Replies

You can manually enter other exceptions as needed. For example:

Source Interface

Destination Interface

Protocol ID

Port

Source Address

Destination Address

Service

Private

Any

TCP

20/21

Any

Any

FTP

Public

Any

TCP

23

Any

209.94.205.100

Telnet Proxy

Private

Any

TCP/UDP

53

Any

196.3.132.0

DNS Lookup

Public

Any

UDP

123

Any

209.94.205.100

NTP

Private

Any

TCP

25

172.19.132.110

Any

SMTP out

Public

Any

TCP

25

Any

172.19.132.110

SMTP in

Private

Any

TCP

110

Any

Any

POP3 query

Private

Any

TCP

443

Any

Any

SSL out

Public

Any

TCP

80

Any

172.19.132.110

HTTP in

Public

Any

TCP

443

Any

172.19.132.110

SSL in

Resetting the Default Filter Exceptions

If you find yourself in a mess with the filter exceptions you've configured manually, you can reset the default ones and start fresh. Here's how:

For BorderManager 3.6

  1. Unload IPFLT, IPXFLT, AND FILTSRV at the console.
  2. Disable filter support in INETCFG/PROTOCOLS/TCPIP and IPX.
  3. Rename the SYS:ETC/FILTERS.CFG.
  4. Reinitialize system.
  5. LOAD BRDCFG.NLM.
  6. Say NO to launch INETCFG.NLM.
  7. Select Set filters on the Public interface.
  8. Select the PUBLIC interface and enter on continue.
  9. Hit ENTER when prompted to acknowledge both IP and IPX filter placement success.
  10. Hit ESCAPE to leave BRDCFG.NLM. The system will be reinitialized automatically.

For BorderManager 3.7

First clear existing filters/exceptions:

  1. Go to iManager->Filter Configuration OR FILTCFG and delete all existing filters and exceptions.

OR

  1. Start ConsoleOne. Log in to NDS.
  2. Right click on the NCP Server Object on which you want to configure default filters.
  3. Click on properties -> Others(Edit)
  4. Delete the attributes: fwsFilterList and fwsExceptionList.

Then put in the default filters:

  1. Unload IPFLT, IPXFLT, AND FILTSRV at the console.
  2. Disable filter support in INETCFG/PROTOCOLS/TCPIP and IPX.
  3. Rename the SYS:ETC/FILTERS.CFG.
  4. Reinitialize system.
  5. LOAD BRDCFG.NLM.
  6. Say NO to launch INETCFG.NLM.
  7. Select Set filters on the Public interface.
  8. Select the PUBLIC interface and enter on continue.
  9. Hit ENTER when prompted to acknowledge both IP and IPX filter placement success.
  10. Hit ESCAPE to leave BRDCFG.NLM. The system will be reinitialized automatically.
  11. Unload IPFLT, IPXFLT, AND FILTSRV.
  12. At the console run FILTSRV MIGRATE.
  13. Unload FILTSRV.NLM.
  14. At system console run Reinitialize system.

Recommended Reading


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell