Hello, I am slowly learning the Adtran OS but have a question about firewall. For the config below I get firewall statements such as "X.X.X.X. blocked on port xxx from default policy class" or something to that effect on the 0/2.20 subinterface. I am trying to be completely non blocking on that sub interface yet I see these statements. Can someone shed some light on this please? I was directed to leave the access-policy off to be non blocking, have I been misinformed? E 0/1 has access-policy Public.
Thanks in advance, I always find the right answers here.
interface eth 0/2
description Voice and LAN
encapsulation 802.1q
no shutdown
!
interface eth 0/2.1
description Voice VLAN
vlan-id 1 native
ip address 192.168.0.1 255.255.255.0
access-policy Private
qos-policy in SET_DSCP
no shutdown
!
interface eth 0/2.20
description To Customer Firewall WAN Port
vlan-id 20
ip address 216.x.x.x 255.255.255.252
no shutdown
By default anything not allowed by a policy is denied. Add a policy to the ethernet 0/2.20 interface and allow it to and from Public. Best practice is to limit the ability to spoof addresses not part of the subnet. This catches malware and some forms of attack traffic.
interface eth 0/2.20
description To Customer Firewall WAN Port
vlan-id 20
ip address 216.x.x.x 255.255.255.252
access-policy Firewall-WAN
no shutdown
ip access-list extended fw-out-list
remark firewall out anti-spoofing
permit ip 216.x.x.x 0.0.0.3 any
ip access-list extended fw-in-list
remark firewall in anti-spoofing
deny ip 216.x.x.x 0.0.0.3 any
permit ip any 216.x.x.x 0.0.0.3
ip policy-class Firewall-WAN
allow list fw-out-list policy Public
ip policy-class Public
allow list fw-in-list policy Firewall-WAN
Jim,
Thanks for posting! I just wanted to add a couple more details about the behavior of our unit when the firewall is turned on, but no access-policy is applied to a routed interface. When no access-policy is applied, traffic enters the "default policy-class" which is just includes a "stateful" allow rule. Stateful vs. stateless processing is defined in the following document.
Configuring the Firewall (IPv4) AOS
Stateful processing is needed for any ALG or proxy type function in the unit, and also serves to prevent several types of "attacks" also defined in the document above. However, if you want stateless processing, you would need to specifically configure it on the unit. Below is a short example.
interface eth 0/2.20
vlan-id 20
ip address 216.x.x.x 255.255.255.252
ip access-policy PublicLAN
no shutdown
!
ip access-list extended MatchAll
permit ip any any
!
ip policy-class PublicLAN
allow list MatchAll stateless
Thanks!
David
David,
Thanks very much for the input and clarifying this for me. I'll
place this piece of config is our lab and begin testing.
Thanks!
Jim Winkleblack
Sales Engineer IV
Consolidated Communications
217-258-2928 Ofc
217-254-5330 Cell
Jim.Winkleblack@consolidated.com
Jwink,
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thanks!
David