3Com Router User Manual

							39
CONFIGURING FIREWALL 
This chapter covers the following topics:
■Firewall Overview
■Configure Firewall 
■Displaying and Debugging Firewall 
■Firewall Configuration Example 
Firewall OverviewA firewall is used to control the network equipment, which accesses the internal 
network resources. Setting a firewall at the access entry point of the intranet can 
control access to the internal network resources by the external network devices. 
In case of multiple entry points, every access entry point should be configured with 
a firewall to effectively control the external access. To ensure that all data entering 
the intranet is detected by the firewall, the firewall should be set at the intranet 
entry point.
A firewall is used not only to connect the Internet, but also to control the access to 
some special part of the internal network, such as to protect mainframes and 
important resources, such as data, in the network. Access to the protected data 
must be filtered through the firewall even if the access is from inside.
The firewall can screen the information, structure and operation of the intranet 
from outside by detecting, restricting and modifying data flow overriding the 
firewall. At present many firewalls also have other characteristics, for example, to 
identify the user, and conduct security processing (encryption) for information.
Figure 170   A firewall isolates the internal network from the Internet
Ethernet
Internet
PCPCPCPCServer
Firewall 
						

							548CHAPTER 39: CONFIGURING FIREWALL 
Classification of Firewalls
Usually firewalls are divided into two types: network layer firewalls and application 
layer firewalls. A network layer firewall mainly obtains the packet head 
information of data packets, such as protocol number, source address and source 
port, destination address and destination port, or directly obtains the data of a 
packet head. But an application layer firewall analyzes the whole information 
stream.
Commonly used firewalls include the following:
■Application Gateway: checks the application layer data of all data packets 
passing through this gateway. For example, the FTP application gateway will be 
a FTP server to a connected client end, but will be an FTP dlient to the server 
end. All FTP data packets transmitted on the connection must pass through this 
FTP application gateway.
■Packet Filtering: filters each data packet using the user-defined items. For 
example, to check if the source address and destination address of a data 
packet meet the rules. Packet filtering does not check call status, nor does it 
analyze the data. If data packets with port 21 or greater than or equal to 1024 
are allowed to pass, then once a port meets this condition, the data packet can 
pass this firewall. If the rules are configured, then many data packets with 
hidden security troubles can be filtered out on this layer.
■Proxy: normally refer to address proxy on a proxy server or a router. It replaces 
the IP address and port of a host inside the network with the IP address and 
port of a server or router. For example, the intranet address of an enterprise is 
129.0.0.0 network segment, and its formal external IP address is 
202.38.160.2-202.38.160.6. When the internal host 129.9.10.100 accesses a 
certain external server in WWW mode, the IP address and port might become 
202.38.160.2:6080 after passing through the proxy server. An address 
mapping table is maintained in the proxy server. When the external WWW 
server returns the result, the proxy server will convert this IP address and port 
into the internal IP address and port 80 of the network. The proxy server is used 
so that all access between the external network hosts and the internal network 
occurs through this proxy server. In this way, the access to internal devices that 
contain important resources can be controlled.
Packet FilteringUsually, packet filtering refers to filtering for IP data packets forwarded. For the 
data packets that need to be forwarded by a router, first the packet header 
information, including the number of the upper layer protocol carried by the IP 
layer, the packets source/destination address and source/destination port is 
obtained. Then the information is compared with the set rules. Finally, it is decided 
whether to transfer or discard the data packet according to the comparison result.
Packet filtering (for IP data packets) selects the following elements for judgment 
(in the figure, the upper layer protocol carried by IP is TCP), as shown in the figure 
below. 
						

							Firewall Overview549
Figure 171   Packet filtering schematic diagram
The following can be realized by data packet filtering:
■Prohibit logging on with telnet from outside
■Every E-mail is sent by SMTP (Simple Message Transfer Protocol).
■One PC, rather than all other PCs, can send news to us by NNTP (Network 
News Transfer Protocol).
Packet filtering in 3Com routers security equipment features the following:
■Based on access-list (Access Control List - ACL): ACL is applied not only in 
packet filtering but also in other features where data streams need to be 
classified, such as address translation and IPSec.
■Support standard and extended ACL: Set a simple address range with the 
standard ACL or set the specific protocol, source address range, destination 
address range, source port range, destination port range, priority and service 
type with the extended ACL.
■Support time segment: Set ACL functions in a specific period of time, such as 
8:00-2:00 of every Monday, or it can be as specific as from a year/month/day to 
another year/month/day.
■Support ACL automatic sorting: You can select sorting ACLs of a specific 
category to simplify the configuration and facilitate the maintenance.
■It can be as specific as indicating the input/output direction: For example, a 
special packet filtering rule can be applied in the output direction of the 
interface that is connected with WAN or another packet filtering rule is applied 
in the input direction.
■Support interface based filtering: It can be set to prohibit or permit to forward 
messages from a specific interface in a specific direction of an interface.
■Support creating a log for message meeting the condition: Record the related 
information of the message and provide a mechanism to guarantee that 
excessive resources are not consumed when a large number of logs are 
triggered in the same way.
Access Control ListTo filter data packets, rules need to be configured. A rule identifies a packet to be 
considered by an Access Control List.
The access control list is generally employed to configure the rules to filter data 
packets, and the types of access control lists are as follows:
■Standard access control list  
						

							550CHAPTER 39: CONFIGURING FIREWALL 
acl acl-number [ match-order config | auto ]
rule { normal | special }{ permit | deny } [source source-addr 
source-wildcard | any ]
■Extended access control list
acl acl-number [ match-order config | auto ]
rule { normal | special }{ permit | deny }  pro-number [source  
source-addr source-wildcard | any ] [source-port operator port1 [ 
port2 ] ] [ destination dest-addr dest- wildcard | any ] 
[destination-port operator port1 [ port2 ] ]  [icmp-type icmp-type 
icmp-code] [logging]
Protocol-number is the type of the protocol carried by IP in the form of name or 
number. The range of number is from 0 to 255, and the range of name is icmp, 
igmp, ip, tcp, udp, gre and ospf.
The above command can also be written in following formats due to the different 
protocol. 
1Command format when the protocol is ICMP: 
rule { normal | special }{ permit | deny } icmp [source  source-addr 
source-wildcard | any ] [ destination dest-addr dest- wildcard | any 
] [icmp-type icmp-type icmp-code] [logging]
2Command format when the protocol is IGMP, IP, GRE or OSPF: 
rule { normal | special }{ permit | deny }  { ip | ospf | igmp | gre 
} [source  source-addr source-wildcard | any ] [ destination 
dest-addr dest- wildcard | any ] [logging]
3Command format when the protocol is TCP or UDP: 
rule { normal | special }{ permit | deny }  { tcp | udp } [source  
source-addr source-wildcard | any ] [source-port operator port1 [ 
port2 ] ] [ destination dest-addr dest- wildcard | any ] 
[destination-port operator port1 [ port2 ] ] [logging]
Only the TCP and UDP protocols require specifying the port range. Listed below 
are supported operators and their syntax.
Ta b l e 618   Operators of the Extended Access Control List
In specifying the port number, following mnemonic symbols may be used to stand 
for the actual meaning.
Operator and SyntaxMeaning
equal  portnumberEqual to portnumber
greater-than  portnumberGreater than portnumber
less-than  portnumberLess than portnumber
not-equal  portnumberNot equal to portnumber
range  portnumber1 portnumber2Between portnumber1 and portnumber2 
						

							Firewall Overview551
Ta b l e 619   Mnemonic Symbol of the Port Number
ProtocolMnemonic SymbolMeaning and Actual Value
TCPbgp
chargen
cmd
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
hostname    irc
chat
klogin
kshell
login
lpd
nntp
pop2
pop3
smtp
sunrpc
syslog
tacacs
talk
telnet
time
uucp
whois
www
Border Gateway Protocol (179)
Character generator (19)
Remote commands (rcmd, 514)
Daytime (13)
Discard (9)
Domain Name Service (53)
Echo (7)
Exec (rsh, 512)
Finger (79)
File Transfer Protocol (21)
FTP data connections (20)
Gopher (70)
NIC hostname server (101)
Internet Relay Chat (194)
Kerberos login (543)
Kerberos shell (544)
Login (rlogin, 513)
Printer service (515)
Network News Transport Protocol (119)
Post Office Protocol v2 (109)
Post Office Protocol v3 (110)
Simple Mail Transport Protocol (25)
Sun Remote Procedure Call (111)
Syslog (514)
TAC Access Control System (49)
Talk (517)
Telnet (23)
Time (37)
Unix-to-Unix Copy Program (540)
Nicname (43)
World Wide Web (HTTP, 80) 
						

							552CHAPTER 39: CONFIGURING FIREWALL 
As for the ICMP, you can specify the ICMP packet type. You can use a number 
(ranging 0 to 255) or a mnemonic symbol to specify the packet type.
UDPbiff
bootpc
bootps
discard
dns
dnsix
echo
mobilip-ag
mobilip-mn
nameserver
netbios-dgm
netbios-ns
netbios-ssn
ntp
rip
snmp
snmptrap
sunrpc
syslog
tacacs-ds
talk
tftp
time
who
Xdmcp
Mail notify (512)
Bootstrap Protocol Client (68)
Bootstrap Protocol Server (67)
Discard (9)
Domain Name Service (53)
DNSIX Securit Attribute Token Map (90)
Echo (7)
MobileIP-Agent (434)
MobilIP-MN (435)
Host Name Server (42)
NETBIOS Datagram Service (138)
NETBIOS Name Service (137)
NETBIOS Session Service (139)
Network Time Protocol (123)
Routing Information Protocol (520)
SNMP (161)
SNMPTRAP (162)
SUN Remote Procedure Call (111)
Syslog (514)
TACACS-Database Service (65)
Talk (517)
Trivial File Transfer (69)
Time (37)
Who(513)
X Display Manager Control Protocol (177)
Protocol Mnemonic Symbol Meaning and Actual Value 
						

							Firewall Overview553
Ta b l e 620   Mnemonic Symbol of the ICMP Message Type
By configuring the firewall and adding appropriate access rules, you can use 
packet filtering to check IP packets that pass the router. The passing of unexpected 
packets can thus be prohibited. In this way the packet filtering helps to protect the 
network security.
Configure the match sequence of access control list
An access control rule can be composed of several “permit” and “deny” 
statements and the range of the data packet specified by each statement varies. 
The match sequence needs to be configured when matching a data packet and 
access control rule.
The maximum number of rules configured under an acl-number is 500 (that is, 
500 rules can be configured in normal time range, and 500 rules can also be 
configured in special time range), and the number of total rules under all 
acl-number are not more than 500. When there is a conflict among several rules, 
the system will configure the match rules according to the following principle:
■Rules with the same serial number can be defined. If two rules with the same 
serial number conflict, use the “depth-first” principle to judge the source-addr, 
source-wildcard-mask, destination-addr, destination-wildcard-mask, protocol 
number and port number, then determine the sequence of the rule.
■If the ranges defined by the rules are the same, then determine the sequence 
of the rules according to the time sequence of definition. The system will 
choose the rule defined earlier.
Operator and SyntaxMeaning
echo
echo-reply
fragmentneed-DFset
host-redirect
host-tos-redirect
host-unreachable
information-reply
information-request
net-redirect
net-tos-redirect
net-unreachable
parameter-problem
port-unreachable
protocol-unreachable
reassembly-timeout
source-quench
source-route-failed
timestamp-reply
timestamp-request
ttl-exceeded          
Type=8, Code=0
Type=0, Code=0
Type=3, Code=4
Type=5, Code=1 
Type=5, Code=3
Type=3, Code=1
Type=16,Code=0
Type=15,Code=0
Type=5, Code=0
Type=5, Code=2
Type=3, Code=0
Type=12,Code=0
Type=3,  Code=3
Type=3, Code=2
Type=11,Code=1
Type=4,  Code=0
Type=3,  Code=5
Type=14,Code=0
Type=13,Code=0
Type=11,Code=0 
						

							554CHAPTER 39: CONFIGURING FIREWALL 
The “depth-first” principle means matching the access rules with the smallest 
definition range of data packets. It can be achieved by comparing the wildcards of 
address. The smaller the wildcards are, the smaller the range specified by the host 
is. For example, 129.102.1.1.0.0.0.0 specifies a host (the address is 129.102.1.1), 
while 129.102.1.1.0.0.255.255 specifies a network segment (the range of the 
address is from 129.102.1.1 to 129.102.255.255), obviously the former is 
arranged in the front of access control rule. 
The special standard is the following:
■For the statement of standard access control rules, compare the wildcards of 
the source addresses directly, and arrange according configuration sequence if 
the wildcards are the same.
■For the access control rules based on interface filtering, the rules configured 
with “any”are arranged last, and the rest will be arranged according to the 
configuration sequence. 
■For extended access control rules, compare the wildcards of source addresses. 
If they are the same, then compare the wildcards of the destination address. If 
they are still the same, compare the range of port numbers, and the rule with 
smaller range will be arranged first. If the port numbers are the same, then 
match the rules according to the users configuration sequence. 
The display acl acl-number command can be used to view the executive 
sequence of the system access rules, and the rules listed ahead will be selected 
first.
Configure Firewall Firewall configuration includes:
■Enabling and Disabling a Firewall
■Configuring Standard Access Control List
■Configuring Extended Access Control List
■Setting the Default Firewall Filtering Mode
■Configuring Special Timerange
■Configuring Rules for Applying Access Control List on Interface
■Specifying Logging Host
Enabling and Disabling a 
FirewallA firewall should be enabled for filtering messages to set other configurations into 
effect.
Perform the following configurations in system view.
Ta b l e 621   Enable/Disable Firewall
Firewalls are disabled by default.
OperationCommand
Enable firewallfirewall enable  
Disable firewallfirewall disable 
						

							Configure Firewall 555
Configuring Standard 
Access Control ListThe value of the standard access control list is an integer from 1 to 99. First of all, 
enter the ACL view through 
acl command, and configure the match sequence of 
the access control list, and then configure specific access rules through 
rule 
command. If the matching sequence is not configured, it will be conducted by 
auto mode.
Perform the following configurations in system view and ACL view.
Ta b l e 622   Configure Standard Access Control List
normal means that this rule functions during normal time range, while special 
means that this rule will function during the special time range. Users shall set the 
special time segment when using 
special. Multiple rules with the same serial 
number will be matched according to “depth-first”command. 
By default normal is adopted.
Configuring Extended 
Access Control ListThe value of the extended access control list is an integer from 100 to 199. First of 
all, enter the ACL view through 
acl command, and configure the match 
sequence of the access control list, and then configure specific access rules 
through 
rule command. If the matching sequence is not configured, it will be 
conducted in 
auto mode.
Perform the following configurations in system view and ACL view.
Ta b l e 623   Configure Extended Access Control List
OperationCommand
Enter the ACL view and configure the 
match sequence of access control list acl acl-number [ match-order config | 
auto ]
Configure standard access list rulerule { normal | special }{ permit | 
deny } [source source-addr 
source-wildcard | any ]
Delete specific access list ruleundo rule { rule-id | normal | 
special }}
Delete access listundo acl {acl-number| all }
OperationCommand
Enter the ACL view and configure the 
match sequence of access control listacl acl-number [ match-order config | 
auto ]
Configure extended access control list rule 
of TCP/UDP protocolrule { normal | special }{ permit | 
deny }  { tcp | udp } [source  
source-addr source-wildcard | any ] 
[source-port operator port1 [ port2 ] 
] [ destination dest-addr dest- 
wildcard | any ] [destination-port 
operator port1 [ port2 ] ] [logging]
Configure extended access control list rule 
of ICMP protocolrule { normal | special }{ permit | 
deny } ICMP [source  source-addr 
source-wildcard | any ] [ destination 
dest-addr dest- wildcard | any ] 
[icmp-type icmp-type icmp-code] 
[logging] 
						

							556CHAPTER 39: CONFIGURING FIREWALL 
normal means that this rule functions during normal time range, while special 
means that this rule will function during the special time range. Users shall set the 
special time range when using 
special. Multiple rules with the same serial 
number will be matched according to “depth-first”principle. 
By default, normal is adopted.
Setting the Default 
Firewall Filtering ModeThe default firewall-filtering mode means that when there is no suitable access 
rule to determine whether a user data packet can pass through, the default 
firewall-filtering mode set by the user will determine whether to permit or inhibit 
this data packet to pass.
Perform the following configurations in system view.
Ta b l e 624   Set Default Firewall Filtering Mode
The default firewall-filtering mode is message pass permitted by default.
Configuring Special 
TimerangeEnabling and disabling filtering according to timerange
Filtering according to time range means in different time ranges the IP data 
packets are filtered with different access rules. It is also called the special rules for 
special time.
The time ranges are classified into two types according to actual applications:
■Special time range: Time within the set time range (specified by key word 
special) 
■Normal time range: Time beyond the specified time range (specified by key 
word 
normal) 
Similarly, the access control rules are also classified into two types:
■Normal packet-filtering access rules
■Special time range packet-filtering access rules
These two types of time ranges define different access control lists and access 
rules, which are not affected by each other. In actual applications, they can be 
considered as two independent sets of rules, and the system will determine which 
Configure extended access control list rule 
of other protocolsrule { normal | special }{ permit | 
deny }  pro-number [source  
source-addr source-wildcard | any ] [ 
destination dest-addr dest- wildcard 
| any ] [logging]
Delete specific access list ruleundo rule { rule-id | normal | 
special }
Delete access listundo acl {acl-number| all }
Operation Command
OperationCommand
Set the default firewall filtering mode as 
message pass permittedfirewall  default permit
Set the default firewall filtering mode as 
message pass inhibitedfirewall  default deny