Multi Service Edge Device HL950
Administrator’s Guide
Page 73 (159)
EN/LZT 108 5995 R3
June
2003
the way certain TCP/IP stacks handles ICMP Echo Requests. Disallowing ICMP Echo
Request/Response will affect other ICMP Echo Request/Response based diagnostic tools,
such as traceroute.
!
FTP
(from LAN)
– lets you enable ftp access to the HL950. This option is available only for
the internal network interface. Enabling this option allows direct access to the HL950 file
system, and should be used with great caution.
!
Telnet
(from LAN, WAN and DMZ)
– allows you to enable telnet access to the HL950 from
the respective network interface.
For detailed information about prefixes and parameters for the SECURITY ACCESS command, see
section 6.6.1.
4.6.1.3 FIREWALL
The SECURITY FIREWALL command is used to manage the firewall daemon and Access Policies.
Four types of Access Policies can be configured. They are:
!
LANIN – Corporate inbound policies
!
LANOUT – Corporate outbound policies
!
DMZIN – DMZ inbound policies
!
DMZOUT – DMZ outbound policies
Corporate inbound policies govern the access requests originated from the Internet or the DMZ to the
corporate network services, and the corporate outbound policies govern the access requests originated
from corporate network to the services on the Internet or the DMZ.
Each access policy is made up of two components - one is traffic selector, and other is traffic
controller. Traffic selector component defines the set of network traffic for which this policy will be
applied, and traffic controller component defines the rules to treat the selected traffic. Most of the
network traffic is logical connection based. Each logical connection can be identified with a
combination of five parameters. They are:
!
Source IP address (ANY or OTHER)
!
Destination IP address (ANY or OTHER)
!
Source port name (ANY, SAFE or OTHER)
!
Destination port name (ANY, SAFE, OTHER or ‘service name’)
!
Protocol (TCP, UDP, ICMP, AH, ESP, ALL or OTHER)
In most cases, for connection originating request messages source port is ephemeral. So for simplicity,
policy selector does not care about the source port value, and selects the traffic by using the other four
parameters.
As policy selector can be defined with flexible ranges of these four parameters, its very much possible
that same kind of network traffic can be selected by different access policy’s selectors. To avoid this
contention, you can assign priorities to the access policies.
For a new access policy you can decide the policy priority by defining its position in the table. You
may choose to add a new policy at the beginning of the table, at the end of the table, or before/after an
existing policy. By default a new policy will be added at the end of the table.