Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 2
Registered: ‎05-23-2017

vRouter 5600 5.2R5 firewall drop return packets

Hello

I am configuring vRouter 5600 (5.2R5) , especcialy Interface-based firewall.

I have heard of specification change regarding stateful firewall from Release 5.1
(The vRouter with the stateful firewall feature enabled globally doesn't generate accept rules automatically for the return packets which arrive at outside interface)

I have a question about the firewall configuration to permit traffic initiated by vRouter itself.
(such as NTP, dns lookup, icmp, ssh login to other routers)

When above types of communications are issued , they bypass "local" firewall and "in" firewall, then the return packets are dropped by
"local" firewall or "in" firewall.

If I added accept rules for the return packets, these traffics come to not to be dropped, but I want to avoid this configuration because  it's complicated.


Is it possible to configure firewall to accept return packets without adding accept rules ?

 

Thank you

 

New Contributor
Posts: 4
Registered: ‎02-09-2016

Re: vRouter 5600 5.2R5 firewall drop return packets

Hello! This is what I am doing for stateful firewalling on 5600:

 

#1 - Global state parameters:

This will make Vyatta track AND allow returning traffic but ONLY for firewall and NAT rules that have protocol set either to icmp, udp or tcp. All other protocols are NOT tracked NOR will have the return traffic allowed.

 

set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'

 

Rule that will turn into stateful if the above is applied:

set security firewall name internal-2-external rule 2 action 'accept'
set security firewall name internal-2-external rule 2 description 'Permit and log ICMP from internal networks (safe)'
set security firewall name internal-2-external rule 2 'log'
set security firewall name internal-2-external rule 2 protocol 'icmp'

 

#2 - Per rule state parameters:

This will automatically create an allowance for return traffic (for rules where you dont add the "protocol" configuration), per rule number:

 

set security firewall name internal-2-external rule 4 action 'accept'
set security firewall name internal-2-external rule 4 description 'Allow traffic - stateful'
set security firewall name internal-2-external rule 4 destination address 'DEST_GROUP'
set security firewall name internal-2-external rule 4 'log'
set security firewall name internal-2-external rule 4 source address 'SRC_GROUP'
set security firewall name internal-2-external rule 4 state 'enable'

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook