MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
May
Sun Mon Tue Wed Thu Fri Sat
           
3
         
2010
Months
May


Mon, May 03, 2010 5:01 pm

Creating a Firewall Rule in a NetScreen Firewall from the Command Line

To create a firewall rule to allow traffic for a custom service, e.g., SSH on a nonstandard port, through the firewall, you can create the custom service and a policy, aka firewall rule, associated with the policy.

You can use the get policy command to obtain a list of existing policies, aka firewall rules.

ns5xp-> get policy
Total regular policies 1, Default deny.
    ID From     To       Src-address  Dst-address  Service  Action State   ASTLCB
     1 Trust    Untrust  Any          Any          ANY      Permit enabled -----X

You can use the get service command to obtain a list of existing services. You will see the standard services, e.g., SSH, TELNET, TFTP, etc., as well as any custom services you've created.

Let's asume I want to use port 1222 for SSH connections to a system named Server1, which is on the trusted side of the firewall with IP address 192.168.0.4. In this case the firewall is not using Network Address Translation (NAT). I could use the following commands:

set address trust "Server1" 192.168.0.4 255.255.255.255 "Web server #1"
set service "Server1 SSH" protocol tcp src-port 0-65535 dst-port 1222-1222
set policy id 2 name "Server1 SSH" from "Untrust" to "Trust" "Any" "Server1" "Server1 SSH" permit log count

With the set address command, I indicate that the system is on the trusted side of the firewall and that I want to associate the name Server1 with the IP address for the system, which is 192.168.0.4. Since the name is associated with one specific IP address, I use a subnet mask of 255.255.255.255. I then add a comment about the system, i.e., "Web server #1" in this case.

I then create a custom service, which I name "Server1 SSH". It uses the TCP protocol. I don't care about the source port, but the nonstandard destination port I am using for SSH is 1222. I put in 1222-1222 for the port range, since I'm just using one port.

For the above policy, I'm assuming that there is no existing policy id 2, so I'm using that for the policy number. After the policy id number is specified, in this case 2, I specify a name for the policy to make its purpose clear, Server1 SSH in this case. I then specify the direction of the data flow, which is from "Untrust" to "Trust". I want to allow any source IP address to connect, so I use "Any" for the source and then use "Server1", which is the named address I created with a prior command, for the destination. I then specify the service. If it was for SMTP email, I could have used SMTP, but, in this case, I'm using the custom "Server1 SSH" service I set up with a prior command. I then specify permit, since I want to permit the traffic, not block it. I've also chosen to log the traffic and count the packets.

If I don't want to make any further changes, I can use the exit command. I'll then be prompted as to whether I want to save the changes I've made.

ns5xp-> exit
Configuration modified, save? [y]/n y

If I want to view the service and policy I created, I can use the get service and get policy id commands.

ns5xp-> get service "Server1 SSH"
Name:       Server1 SSH
Category:   other          ID:  0   Flag:  User-defined


Transport    Src port     Dst port   ICMPtype,code  Timeout(min) Application
tcp           0/65535  47050/47050                        30        

ns5xp-> get policy id 2
name:"Server1 SSH" (id 2), zone Untrust -> Trust,action Permit, status "enabled"
src "Any", dst "Server1", serv "Server1 SSH"
Policies on this vpn tunnel: 0
nat off, url filtering OFF
vpn unknown vpn, policy flag 0000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log yes, log count 1, alert no, counter yes(1) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/1
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/-1
No Authentication
No User, User Group or Group expression set

Additional information on creating firewall rules can be found in Juniper Network's Concepts & Examples ScreenOS Reference Guide Volume 2: Fundamentals.

References:

  1. Concepts & Examples ScreenOS Reference Guide Volume 2: Fundamentals
    Juniper Networks

[/security/firewalls/netscreen] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo