Ericsson HL950 Administrator's Manual page 74

Multi service edge device

Hide thumbs Also See for HL950:

Quick installation manual (20 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

Table of Contents

Multi Service Edge Device HL950

Administrator's Guide

By using the MOVE parameter you can change the priority of a policy UP and/or DOWN in the table.

If HL950 receives network traffic on any of its network interface for which there is no access policy

available, it blocks that traffic. A log event indicating "No policy matched" will be generated in this

case.

For detailed information about prefixes and parameters for the SECURITY FIREWALL command,

see section 6.6.5.

4.6.1.4

Typical Firewall Examples

The policies added in the following example are a subset of the typical policies a system administrator

would add to prevent Denial of Service attacks:

Policy 1;

Allow incoming traffic that is destinated to IP addresses that belong to the corporate LAN.

This prevents the LAN being used as a transit for public data.

HL950> add security firewall:type=lanin, ipsn=any, psn=any,

ipds=192.168.10.0, dmask=24, pdn=any, prot=all, allow=true,

log=true, ppos=begin;

Policy 2;

Allow outgoing traffic that is initiated from IP addresses that belong inside the corporate

LAN. This prevents address spoofing by internal users.

HL950> add security firewall:type=lanout, ipss=192.168.10.0,

smask=24, ipdn=any, psn=any, pdn=any, prot=all, log=true,

ppos=begin, allow=true;

At this time you may remove the pre-configured policy allowing traffic from any IP address to

any IP address as it is redundant.

Policy 3;

Disallow traffic to or from special reserved IP address ranges. These ranges should never be

allowed across organizational domains as they are reserved by IETF. Please refer to RFC

1918.

1. 10.0.0.0 to 10.255.255.255

2. 127.0.0.0 to 127.255.255.255.255

3. 172.16.0.0 to 172.31.255.255

4. 192.168.0.0 to 192.168.255.255 (we are using these for demo purposes. The actual

IP address would never be in this range).

Add policies to deny all packets from or to these IP address ranges (except 4).

Add to LANtoWAN policies:

HL950> add security firewall:type=lanout, ipss=10.0.0.0,

ipse=10.255.255.255.255, ipdn=any, psn=any, pdn=any, prot=all,

allow=false, log=true, ppos=begin;

HL950> add security firewall:type=lanout, ipss=127.0.0.0,

ipse=127.255.255.255.255, ipdn=any, psn=any, pdn=any, prot=all,

EN/LZT 108 5995 R3

June 2003

Page 74 (159)

Table of Contents

This manual is also suitable for:

Zat 759 63/a101 Zat 759 63/a2011 Zat 759 63/a2012 Zat 759 63/a301

Ericsson HL950 Administrator's Manual page 74

Related Manuals for Ericsson HL950

Related Products for Ericsson HL950

This manual is also suitable for:

Table of Contents