The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jwink
New Contributor III

Firewall question

Hello, I am slowly learning the Adtran OS but have a question about firewall.   For the config below I get firewall statements such as "X.X.X.X. blocked on port xxx from default policy class" or something to that effect on the 0/2.20 subinterface.   I am trying to be completely non blocking on that sub interface yet I see these statements.  Can someone shed some light on this please?  I was directed to leave the access-policy off to be non blocking, have I been misinformed?   E 0/1 has access-policy Public.

Thanks in advance, I always find the right answers here.

interface eth 0/2

  description Voice and LAN

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1

  description Voice VLAN

  vlan-id 1 native

  ip address  192.168.0.1  255.255.255.0

  access-policy Private

  qos-policy in SET_DSCP

  no shutdown

!

interface eth 0/2.20

  description To Customer Firewall WAN Port

  vlan-id 20

  ip address  216.x.x.x 255.255.255.252

  no shutdown

Labels (2)
Tags (3)
0 Kudos
4 Replies
jayh
Honored Contributor
Honored Contributor

Re: Firewall question

By default anything not allowed by a policy is denied.  Add a policy to the ethernet 0/2.20 interface and allow it to and from Public.  Best practice is to limit the ability to spoof addresses not part of the subnet.  This catches malware and some forms of attack traffic.

interface eth 0/2.20

  description To Customer Firewall WAN Port

  vlan-id 20

  ip address  216.x.x.x 255.255.255.252

  access-policy Firewall-WAN

  no shutdown

ip access-list extended fw-out-list

  remark firewall out anti-spoofing

  permit ip 216.x.x.x 0.0.0.3 any

ip access-list extended fw-in-list

  remark firewall in anti-spoofing

  deny ip 216.x.x.x 0.0.0.3 any

  permit ip any 216.x.x.x 0.0.0.3

ip policy-class Firewall-WAN

  allow list fw-out-list policy Public

ip policy-class Public

  allow list fw-in-list policy Firewall-WAN

Anonymous
Not applicable

Re: Firewall question

Jim,

Thanks for posting!   I just wanted to add a couple more details about the behavior of our unit when the firewall is turned on, but no access-policy is applied to a routed interface.  When no access-policy is applied, traffic enters the "default policy-class" which is just includes a "stateful" allow rule.  Stateful vs. stateless processing is defined in the following document.

Configuring the Firewall (IPv4) AOS

Stateful processing is needed for any ALG or proxy type function in the unit, and also serves to prevent several types of "attacks" also defined in the document above.  However, if you want stateless processing, you would need to specifically configure it on the unit.  Below is a short example.


interface eth 0/2.20


  vlan-id 20


  ip address  216.x.x.x 255.255.255.252


  ip access-policy PublicLAN


  no shutdown


!


ip access-list extended MatchAll


  permit ip any any


!


ip policy-class PublicLAN


  allow list MatchAll stateless


Thanks!

David

jwink
New Contributor III

Re: Firewall question

David,

Thanks very much for the input and clarifying this for me. I'll

place this piece of config is our lab and begin testing.

Thanks!

Jim Winkleblack

Sales Engineer IV

Consolidated Communications

217-258-2928 Ofc

217-254-5330 Cell

Jim.Winkleblack@consolidated.com

Anonymous
Not applicable

Re: Firewall question

Jwink,

I went ahead and flagged this post as "Assumed Answered".  If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks!

David