To create a firewall rule to allow traffic for a custom service, e.g., SSH on a nonstandard port, through the firewall, you can create the custom service and a policy, aka firewall rule, associated with the policy.
You can use the get policy command to obtain a list of existing
policies, aka firewall rules.
ns5xp-> get policy
Total regular policies 1, Default deny.
ID From To Src-address Dst-address Service Action State ASTLCB
1 Trust Untrust Any Any ANY Permit enabled -----X
You can use the get service command to obtain a list of existing
services. You will see the standard services, e.g., SSH, TELNET, TFTP, etc.,
as well as any custom services you've created.
Let's asume I want to use port 1222 for SSH connections to a system named Server1, which is on the trusted side of the firewall with IP address 192.168.0.4. In this case the firewall is not using Network Address Translation (NAT). I could use the following commands:
set address trust "Server1" 192.168.0.4 255.255.255.255 "Web server #1"
set service "Server1 SSH" protocol tcp src-port 0-65535 dst-port 1222-1222
set policy id 2 name "Server1 SSH" from "Untrust" to "Trust" "Any" "Server1"
"Server1 SSH" permit log count
With the set address command, I indicate that the system is on
the trusted side of the firewall and that I want to associate the name
Server1 with the IP address for the system, which is 192.168.0.4.
Since the name is associated with one specific IP address, I use a subnet mask
of 255.255.255.255. I then add a comment about the system, i.e.,
"Web server #1" in this case.
I then create a custom service, which I name "Server1 SSH". It
uses the TCP protocol. I don't care about the source port, but the nonstandard
destination port I am using for SSH is 1222. I put in
1222-1222 for the port range, since I'm just using one port.
For the above policy, I'm assuming that there is no existing policy id
2, so I'm using that for the policy number. After
the policy id number is specified, in this case 2, I specify a name
for the policy to make its purpose clear, Server1 SSH
in this case. I then specify the direction of the data flow, which is
from "Untrust" to "Trust". I want to allow any source IP
address to connect, so I use "Any" for the source and then
use "Server1", which is the named address I created with a
prior command, for the destination. I then specify the service. If it
was for SMTP email, I could have used SMTP, but, in this
case, I'm using the custom "Server1 SSH" service I set up
with a prior command. I then specify permit, since I want
to permit the traffic, not block it. I've also chosen to log the traffic
and count the packets.
If I don't want to make any further changes, I can use the
exit command. I'll then be prompted as to whether I want
to save the changes I've made.
ns5xp-> exit Configuration modified, save? [y]/n y
If I want to view the service and policy I created, I can use the
get service and get policy id commands.
ns5xp-> get service "Server1 SSH" Name: Server1 SSH Category: other ID: 0 Flag: User-defined Transport Src port Dst port ICMPtype,code Timeout(min) Application tcp 0/65535 47050/47050 30 ns5xp-> get policy id 2 name:"Server1 SSH" (id 2), zone Untrust -> Trust,action Permit, status "enabled" src "Any", dst "Server1", serv "Server1 SSH" Policies on this vpn tunnel: 0 nat off, url filtering OFF vpn unknown vpn, policy flag 0000, session backup: on traffic shapping off, scheduler n/a, serv flag 00 log yes, log count 1, alert no, counter yes(1) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/1 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set
Additional information on creating firewall rules can be found in Juniper Network's Concepts & Examples ScreenOS Reference Guide Volume 2: Fundamentals.
References:
