30.5 Access Control Lists

You can create custom Access Control Lists (ACLs) to define specific IP or MAC addresses from which unsolicited traffic should always be blocked or should always be allowed. An ACL setting overrides port rules and the default port behavior.

The following table provides instructions for managing the ACLs:

Task

Steps

Additional Details

Create a new ACL

  1. Click Add > Create New.

  2. Fill in the following fields:

    Name: Specify a unique name for the Access Control List. For information about valid characters, see Naming Conventions in ZENworks Control Center.

    Description: Provide optional text that helps identify the purpose, membership, creator, or owner.

    ACL Behavior: Select Trusted to specify that membership in this ACL allows access. Select Non-Trusted to specify that membership in this ACL denies access.

    Configure Optional Ports: By default, the ACL behavior is applied to all ports. For example, if the ACL behavior is trusted, all ports trust the addresses included in the ACL.

    If you want the ACL to apply to only specific ports, select this option then specify the ports and the behavior for the ports (Open, Closed, or Stateful). This causes the ACL Behavior setting to be ignored in favor of the individual port behavior settings.

    Address Types: Specify the IP and MAC addresses that are members of the ACL. To do so, click New, select the type (IP Address or DNS Name, MAC Address, or Macro), specify the appropriate address or select the desired macro, then click OK.

    The macros are predefined IP address groups. For example, All DHCP applies the ACL behavior to a device’s current DHCP server IP addresses while Default DHCP applies it to the current Default DHCP server IP address.

    Define Another Access Control List: Select this option to create another Access Control List after you finish with this one.

  3. Click OK to save the Access Control List.

    By default, the ACL is enabled. If you do not want it enabled at this time, deselect the Enabled box.

Use one of the following formats:

  • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single address. For example, 123.45.167.100.

  • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

  • www.domain_name: Standard domain name notation. For example, www.novell.com.

  • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

IMPORTANT:To enforce the ACL, an IP address range is expanded to individual IP addresses. A large range can consume significant resources on the device and impact performance. To minimize this impact, define ranges that include only the IP addresses you want to control.

Use the following format when specifying a MAC address: xx:xx:xx:xx:xx:xx. For example, 01:23:45:67:89:ab.

Copy an existing ACL from another policy

  1. Click Add > Copy Existing.

  2. Select the Firewall policies whose ACL you want to copy.

  3. Click OK.

All ACLs included in the other Firewall policies are copied. If necessary, you can edit the copied ACLs after they are added to the list.

Import an ACL from a policy export file

  1. Click Add > Import.

  2. Click to display the Select File dialog box.

  3. Click Browse, select the export file, then click OK.

  4. Click OK to add the ACLs to the list.

All ACLs included in the export file are imported. If necessary, you can edit the imported ACLs after they are added to the list.

For information about exporting ACLs, see Export an ACL.

Enable or disable an ACL

  1. Locate the ACL in the list

  2. In the Enabled column, select the check box to enable the ACL.

    or

    Deselect the check box to disable the ACL.

When you add an ACL it is enabled by default. You can disable an ACL to save it in the policy but no longer apply it.

Edit an ACL

  1. Click the ACL name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename an ACL

  1. Select the check box next to the ACL name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export an ACL

  1. Select the check box next to the ACL name.

    You can select multiple ACLs to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete an ACL

  1. Select the check box next to the ACL name, then click Delete.

  2. Click OK to confirm deletion of the ACL.