Table of Contents
Advertisement
The intent of the two-stage approach is to allow a small number of port configurations to be defined, and
re-used across multiple devices. As an example, it may be useful to define custom port configurations
for specific device types (e.g. Windows server, Cisco router), and configure the portMap table so that the
appropriate port configuration is used in each case. When this approach is used, the port configuration
details only need to be specified once per device type.
The portMap table also supports the use of address patterns (see Chapter 2) and device groups (see
Chapter 7) in the src-address and dest-address fields, in order to allow a single rule to be
applied to multiple devices.
The default portMap configuration, for a new ZoneRanger, is as follows:
*.*.*.* @ZoneRanger ZoneRangerDefault
*.*.*.* *.*.*.* Default
This configuration indicates that requests from any source directed towards a joined ZoneRanger will be
governed by the ZoneRangerDefault configuration, and that all other requests will be governed by the
Default configuration. The ZoneRangerDefault rule is configured first, so that requests directed towards
ZoneRangers will match that rule, as opposed to the Default rule. In order to restrict the Ranger
Gateway so that only traffic originated by applications on the Ranger Gateway server itself will be
processed, the portMap table would need to be configured as follows:
@Local @ZoneRanger ZoneRangerDefault
@Local *.*.*.* Default
Note: When restricting the Ranger Gateway to only accept local traffic it is highly recommended that
the @Local device group be specified, as opposed to specifying individual local IP addresses. The
source address for traffic received via GVI or RGVI will typically be a special address associated with
the underlying virtual point-to-point interface, so configuring rules based on specific IP addresses may
not produce the expected results.
The Default port configuration for a new ZoneRanger contains the following rules:
Default TCP 22 SSH
Default TCP 443 HTTPS
Default UDP 161 SNMP
Default ICMP
This configuration allows the use of SSH on TCP port 22, HTTPS on TCP port 443, SNMP on UDP port
161, and ICMP. The ZoneRangerDefault port configuration contains the following rules:
ZoneRangerDefault TCP 22 SSH
ZoneRangerDefault TCP 23 TELNET
ZoneRangerDefault TCP 80 HTTP
ZoneRangerDefault TCP 443 HTTPS
ZoneRangerDefault TCP 5432 SQL
ZoneRangerDefault UDP 161 SNMP
ZoneRangerDefault ICMP
ZoneRanger 5.5 User's Guide
43
Hide quick links:
Advertisement
Table of Contents
