|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
You can use the get policy command to obtain a list of existing
policies, aka firewall rules.
ns5xp-> get policy
Total regular policies 1, Default deny.
ID From To Src-address Dst-address Service Action State ASTLCB
1 Trust Untrust Any Any ANY Permit enabled -----X
You can use the get service command to obtain a list of existing
services. You will see the standard services, e.g., SSH, TELNET, TFTP, etc.,
as well as any custom services you've created.
Let's asume I want to use port 1222 for SSH connections to a system named Server1, which is on the trusted side of the firewall with IP address 192.168.0.4. In this case the firewall is not using Network Address Translation (NAT). I could use the following commands:
set address trust "Server1" 192.168.0.4 255.255.255.255 "Web server #1"
set service "Server1 SSH" protocol tcp src-port 0-65535 dst-port 1222-1222
set policy id 2 name "Server1 SSH" from "Untrust" to "Trust" "Any" "Server1"
"Server1 SSH" permit log count
With the set address command, I indicate that the system is on
the trusted side of the firewall and that I want to associate the name
Server1 with the IP address for the system, which is 192.168.0.4.
Since the name is associated with one specific IP address, I use a subnet mask
of 255.255.255.255. I then add a comment about the system, i.e.,
"Web server #1" in this case.
I then create a custom service, which I name "Server1 SSH". It
uses the TCP protocol. I don't care about the source port, but the nonstandard
destination port I am using for SSH is 1222. I put in
1222-1222 for the port range, since I'm just using one port.
For the above policy, I'm assuming that there is no existing policy id
2, so I'm using that for the policy number. After
the policy id number is specified, in this case 2, I specify a name
for the policy to make its purpose clear, Server1 SSH
in this case. I then specify the direction of the data flow, which is
from "Untrust" to "Trust". I want to allow any source IP
address to connect, so I use "Any" for the source and then
use "Server1", which is the named address I created with a
prior command, for the destination. I then specify the service. If it
was for SMTP email, I could have used SMTP, but, in this
case, I'm using the custom "Server1 SSH" service I set up
with a prior command. I then specify permit, since I want
to permit the traffic, not block it. I've also chosen to log the traffic
and count the packets.
If I don't want to make any further changes, I can use the
exit command. I'll then be prompted as to whether I want
to save the changes I've made.
ns5xp-> exit Configuration modified, save? [y]/n y
If I want to view the service and policy I created, I can use the
get service and get policy id commands.
ns5xp-> get service "Server1 SSH" Name: Server1 SSH Category: other ID: 0 Flag: User-defined Transport Src port Dst port ICMPtype,code Timeout(min) Application tcp 0/65535 47050/47050 30 ns5xp-> get policy id 2 name:"Server1 SSH" (id 2), zone Untrust -> Trust,action Permit, status "enabled" src "Any", dst "Server1", serv "Server1 SSH" Policies on this vpn tunnel: 0 nat off, url filtering OFF vpn unknown vpn, policy flag 0000, session backup: on traffic shapping off, scheduler n/a, serv flag 00 log yes, log count 1, alert no, counter yes(1) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/1 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set
Additional information on creating firewall rules can be found in Juniper Network's Concepts & Examples ScreenOS Reference Guide Volume 2: Fundamentals.
References:
The above steps will allow access from the "trust" side of the firewall, e.g. the Local Area Network (LAN) behind the firewall. If you want to permit access from the "untrust" side, i.e. from the outside interface of the firewall, you will have to take additional steps.
To permit access from the "unstrust" side using the web interface to the firewall, take the following steps.
[ More Info ]
The snoop commands provide functionality one might expect from a sniffer, but you can also use debug commands to see how the firewall is applying policies to the traffic it sees.
[ More Info ]
get log traffic command. If you are using the
CLI for
the router, when the results are displayed via a console or
SSH connection, you will need to hit a key at the more
prompt to page through the output. You can hit q
to stop paging through the output.
But rather than page through it by the above method, you can also transfer the contents of the log to a TFTP server. Instructions for setting up a TFTP server on a Linux system can be found at Setting Up a Linux TFTP Server.
To redirect the output to a TFTP server, use the command
get log traffic > tftp <IP Address> <filename>,
substituting the IP address of the TFTP server for
<IP Address> and the name of the file you want to write to
on the TFTP server for <filename>. E.g. the command below
would store the log file on a TFTP server at IP address 192.168.0.5
in the file NetScreen-log.txt. Note: the file
NetScreen-log.txt must already exist on the server, though it
may be an empty file prior to transfer of the log file from the NetScreen
firewall
ns5gt-> get log traffic > tftp 192.168.0.5 NetScreen-log.txt redirect to 192.168.2.5,NetScreen-log.txt !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! tftp transferred records = 1308 tftp success!
If you see a tftp timeout max error message followed by a
tftp abort message, firewall software on the
TFTP server may be blocking the file transfer. If you see a
!rcv tftp error(1) File not found message
then you likely have mistyped the name of the file that should
be pre-existing on the server or the permissions on that file are
not set appropriately, e.g., if the TFTP server is a Linux or Unix
system, the file should have world read+write permissions set on it,
which you can set with chmod 666 filename.
Applicable ScreenOS:
References:
Once the VIP service is configured, you need to set up a new firewall rule, aka policy, to permit traffic from the outside of the firewall through to the inside for this new service.
To do so, take the following steps:
POP3 for a POP3 service. You don't need to change the
Source Address, but for the Destination Address, select
"VIP(untrust)" from Address Book Entry for the
Desinstion Address. For Service, you can select "POP3" for
this example.
