Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jwink
New Contributor III
‎01-03-2014 11:35 AM

Firewall question

Hello, I am slowly learning the Adtran OS but have a question about firewall.   For the config below I get firewall statements such as "X.X.X.X. blocked on port xxx from default policy class" or something to that effect on the 0/2.20 subinterface.   I am trying to be completely non blocking on that sub interface yet I see these statements.  Can someone shed some light on this please?  I was directed to leave the access-policy off to be non blocking, have I been misinformed?   E 0/1 has access-policy Public.

Thanks in advance, I always find the right answers here.

interface eth 0/2

  description Voice and LAN

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1

  description Voice VLAN

  vlan-id 1 native

  ip address  192.168.0.1  255.255.255.0

  access-policy Private

  qos-policy in SET_DSCP

  no shutdown

!

interface eth 0/2.20

  description To Customer Firewall WAN Port

  vlan-id 20

  ip address  216.x.x.x 255.255.255.252

  no shutdown

Labels (2)
Labels
Tags (3)
0 Kudos
Reply
4 Replies
jayh
Honored Contributor
Honored Contributor
‎01-03-2014 01:41 PM

Re: Firewall question

By default anything not allowed by a policy is denied.  Add a policy to the ethernet 0/2.20 interface and allow it to and from Public.  Best practice is to limit the ability to spoof addresses not part of the subnet.  This catches malware and some forms of attack traffic.

interface eth 0/2.20

  description To Customer Firewall WAN Port

  vlan-id 20

  ip address  216.x.x.x 255.255.255.252

  access-policy Firewall-WAN

  no shutdown

ip access-list extended fw-out-list

  remark firewall out anti-spoofing

  permit ip 216.x.x.x 0.0.0.3 any

ip access-list extended fw-in-list

  remark firewall in anti-spoofing

  deny ip 216.x.x.x 0.0.0.3 any

  permit ip any 216.x.x.x 0.0.0.3

ip policy-class Firewall-WAN

  allow list fw-out-list policy Public

ip policy-class Public

  allow list fw-in-list policy Firewall-WAN

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎01-06-2014 01:20 PM

Re: Firewall question

Jim,

Thanks for posting!   I just wanted to add a couple more details about the behavior of our unit when the firewall is turned on, but no access-policy is applied to a routed interface.  When no access-policy is applied, traffic enters the "default policy-class" which is just includes a "stateful" allow rule.  Stateful vs. stateless processing is defined in the following document.

Configuring the Firewall (IPv4) AOS

Stateful processing is needed for any ALG or proxy type function in the unit, and also serves to prevent several types of "attacks" also defined in the document above.  However, if you want stateless processing, you would need to specifically configure it on the unit.  Below is a short example.


interface eth 0/2.20


  vlan-id 20


  ip address  216.x.x.x 255.255.255.252


  ip access-policy PublicLAN


  no shutdown


!


ip access-list extended MatchAll


  permit ip any any


!


ip policy-class PublicLAN


  allow list MatchAll stateless


Thanks!

David

0 Kudos
Accept as Solution Reply
jwink
New Contributor III
‎01-06-2014 01:33 PM

Re: Firewall question

David,

Thanks very much for the input and clarifying this for me. I'll

place this piece of config is our lab and begin testing.

Thanks!

Jim Winkleblack

Sales Engineer IV

Consolidated Communications

217-258-2928 Ofc

217-254-5330 Cell

Jim.Winkleblack@consolidated.com

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎01-29-2014 07:58 AM

Re: Firewall question

Jwink,

I went ahead and flagged this post as "Assumed Answered".  If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks!

David

0 Kudos
Accept as Solution Reply