Viewing Policies and Configuring a Policy for FTP

You can check the current policies in a Juniper NetScreen firewall running the ScreenOS operating system, such as a Netscreen-5GT firewall, with get policy all. If you want to view just the policies that affect transmissions between two particular zones, you can use get policy from from_zone to to_zone, e.g. get policy from untrust to trust for those policies that apply to traffic from the untrust zone to the trust zone. If you only want to find policies between two zones that apply to a particular service, you can add the pipe character, |, after the command and put include pattern after it. E.g., suppose I wanted to check on policies for web traffic. I could use the following command:

ns5gt-> get policy from untrust to trust | i "HTTP"
    13 Untrust  Trust    Any          VIP(untrust) HTTP                 Permit enabled ---XXX
    17 Untrust  Trust    Any          VIP(untrust) HTTPS                Permit enabled ----XX

"Include" can be shortened to just "i". If you want to exclude policies matching a certain pattern, you can use exclude, instead of include. It can be shortened to just e. E.g., if I wanted to see all policies from the untrust to trust zone, except for HTTP and HTTPS ones, I could use get policy from untrust to trust | e HTTP. Note: the pattern applies not just to the service name, but also policy numbers. E.g., if I use include 3, I would see policies where the number of the policy includes the digit 3.

ns5gt-> get policy from untrust to trust | i 3
    13 Untrust  Trust    Any          VIP(untrust) HTTP                 Permit enabled ---XXX
    15 Untrust  Trust    Any          VIP(untrust) POP3                 Permit enabled ---XXX
    23 Untrust  Trust    Any          VIP(untrust) POP3S                Permit enabled ---XXX

A number of services, such as FTP, are predefined.

ns5gt-> get service ftp                                                         Name:       FTP
Category:   remote         ID:  0   Flag:  Pre-defined


Transport    Src port     Dst port   ICMPtype,code  Timeout(min) Application
tcp           1/65535        21/21                        30         FTP

For FTP, there are also FTP-Get and GTP-Put services defined that allow further restrictions to be applied to FTP access. These allow unidirectional FTP transfers.

If I want to allow inbound FTP connectivity to a specific host, but only from specific IP addresses, I could use a set policy command like set policy untrust to trust allowed_addresses VIP(untrust) FTP permit log presuming that I want to allow any system with an IP address included in the allowed_addresses to access the internal FTP server and that I want to log the traffic. But if I try specifying the allowed address range within the command, I will see a "following address(es) not defined" message. E.g, supposing I wanted to allow access from any system with an IP address from 172.16.224.0 to 172.16.224.255.

ns5gt-> set policy untrust to trust 172.16.224.0/24 VIP(untrust) FTP permit log
                   ^----------unknown keyword untrust
ns5gt-> set policy from untrust to trust 172.16.224.0/24 VIP(untrust) FTP permi### Zone Untrust->Trust : following address(es) not defined: (src 172.16.224.0/24),

Failed command - set policy from untrust to trust 172.16.224.0/24 VIP(untrust) FTP permit log

Instead, I need to add the allowed range of addresses to the address book. You can see the contents of the address book using get address. To add the range to the addres book, I can use a set address zone name address command where zone is the firewall zone where the address(es) would be located, name is whatever descriptive name I wish to give to the address book entry, and address can be in a form as shown below:

ns5gt-> set address untrust name ?
<string>             Domain Name
<a.b.c.d>/<num>      IP Address/Netmask
<a.b.c.d>            IP Address

E.g., supposing I want to name the adress book entry "Acme VPN" and the allowed addresses will be from 172.16.224.0 to 172.16.224.255; I could use the following command:

ns5gt-> set address untrust "ACME VPN" 172.16.224.0/24
ns5gt-> set policy from untrust to trust "Acme VPN" VIP(untrust) FTP permit log 
policy id = 24
ns5gt->

You can also specify a domain name for an address book entry rather than an IP address or address range.

ns5gt-> set address untrust ACI aci.example.com
Domain name "aci.example.com" has been looked up successfully.
ns5gt-> set policy from untrust to trust ACI VIP(untrust) FTP permit log
policy id = 25
ns5gt->

If you wish to add a specific IP address, put a /32, which is a subnet mask specifying one IP address, at the end of the address as shown below.

ns5gt- set address untrust "John Doe IP" 192.168.181.210/32
ns5gt-> set policy from untrust to trust "John Doe IP" VIP(untrust) FTP permit
policy id = 26
ns5gt->

When checking the address book, you can specify that you only want to view address book entries for a particular zone.

ns5gt-> get address untrust
Total 3 addresses and 0 groups in the address book.

Untrust Addresses:
Name                 Address         Netmask         Flag  Comments
ACI                  aci.example.com                 01
Any                  0.0.0.0         0.0.0.0           02  All Addr
ACME VPN             172.16.224.0    255.255.255.0     01
John Doe IP          192.168.181.210 255.255.255.255   01

ns5gt->

I can see the details for the policy I created using the policy id, which in this case was 24 for the first FTP policy I created.

ns5gt-> get policy id 24
name:"none" (id 24), zone Untrust -> Global,action Permit, status "enabled"
src "ACME VPN", dst "VIP(untrust)", serv "FTP"
Policies on this vpn tunnel: 0
nat off, url filtering : disabled
vpn unknown vpn, policy flag 0000, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log yes, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 0, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/-1
No Authentication
No User, User Group or Group expression set

Since the firewall is performing Network Address Translation (NAT) and I am using "VIP(untrust)" to connect to a specific internal host running the FTP service, I also need to use the command below, which will route the incoming connections to the default FTP port, port 21, to the internal server's IP address, which is 192.168.0.4.

ns5gt-> set interface untrust vip untrust 21 "FTP" 192.168.0.4
ns5gt->

If I later wish to remove a policy, such as policy id 26 which was created above for an individual IP address, which I named "John Doe IP", and the address book entry as well, I could use commands such as the following ones:

ns5gt-> unset policy id 26
ns5gt-> unset address untrust "John Doe IP"

After making configuration changes to the firewall, you need to issue the save config command to keep the changes from disappearing the next time the firewall is rebooted.

If FTP connectivity doesn't work or if I want to look more closely at the FTP traffic, I can use the snoop command to troubleshoot the connection.

ns5gt-> snoop filter ip port 21
snoop filter added
ns5gt-> clear dbuf
ns5gt-> snoop
Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y
ns5gt-> snoop off
Snoop off
ns5gt->

With the first command above, I've set a filter to look only for traffic to port 21, which is the default command/control port for FTP. There is also a data port, TCP port 20, but for the moment I only want to check connectivity to the command port. Since the data will go to the debug buffer, I next clear that buffer to eliminate any prior data. Then the snoop command initiates snooping of the FTP traffic. The system will prompt you to confirm that you wish to start snooping. The captured information isn't immediately displayed; I need to attempt an FTP connection from a remote client and then, after doing so, issue a snoop off command and a get dbuf command.

If you want to see what filter is currently in effect, you can use the snoop info command.

ns5gt-> snoop info
Snoop: ON
Filters Defined: 1, Active Filters 1
Detail: OFF, Detail Display length: 96
Snoop filter based on:
id 1(on): IP port 21 dir(B)

I can view the contents of the debug buffer where the snoop command is storing data with get dbuf info.

ns5gt-> get dbuf info
count: 5301, last index: 5301, cur index: 0, size: 32768
start: 0, pause: 0
ns5gt->

I can see that there were 5301 packets transmitted involving port 21. To see details, I can use the get dbuf stream command.

ns5gt-> get dbuf stream
4062421.0: 2(i):001bfc2f66fd->0010db7d2862/0800
              192.168.0.4->10.105.19.135/6, tlen=71
              vhl=45, tos=00, id=36439, frag=4000, ttl=64
              tcp:ports 21->7324, seq=4063640459, ack=3383.0.407, flag=5018

4062421.0: 1(o):0010db7d2861->503955558937/0800
              192.168.0.10->10.105.19.135/6, tlen=71
              vhl=45, tos=00, id=36439, frag=4000, ttl=63
              tcp:ports 21->7324, seq=4063640467, ack=3383.0.407, flag=5018

4062421.0: 2(i):001bfc2f66fd->0010db7d2862/0800
              192.168.0.4->10.105.19.135/6, tlen=70
              vhl=45, tos=00, id=36440, frag=4000, ttl=64
              tcp:ports 21->7324, seq=4063640490, ack=3383.0.415, flag=5018

4062421.0: 1(o):0010db7d2861->503955558937/0800
              192.168.0.10->10.105.19.135/6, tlen=70
              vhl=45, tos=00, id=36440, frag=4000, ttl=63
              tcp:ports 21->7324, seq=4063640498, ack=3383.0.415, flag=5018

4062421.0: 2(i):001bfc2f66fd->0010db7d2862/0800
              192.168.0.4->10.105.19.135/6, tlen=90
--- more ---

From the above output, I can see that a system with the IP address of 10.105.19.135 was engaged in FTP communications with the server.

The debug buffer is circular, so new data will overwrite existing data if it fills. The buffer size can be increased from the default value of 32KB with set dbuf size <size>. The command get db info shows the size of the buffer in bytes. If you need to capture a lot of data, you can set the debug buffer to the maximum size of 4096 KB (4 MB) using set db size 4096, which is 4194304 bytes as can be seen by the last get db info command below. You can set the buffer size back to the default value of 32 KB with set dbuf size 32 or unset db size.

ns5gt-> get db info
count: 5301, last index: 5301, cur index: 0, size: 32768
start: 0, pause: 0
ns5gt-> set db size 4096
ns5gt-> get db info
count: 0, last index: 0, cur index: 0, size: 4194304
start: 0, pause: 0

References:

  1. ScreenOS Cheat Sheet
    By: Erik Rodriguez
    Last updated: June 6, 2011
    Skullbox.net - School for Information Technology
  2. ScreenOS FTP-command service in DENY rule
    Juniper Networks Knowledge Center
  3. [ScreenOS] Running "debug flow basic"
    Juniper Networks Knowledge Center
  4. NetScreen Snoop Command
    Date: April 11, 2009
    Last Updated: May 8, 2011
    MoonPoint Support

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday June 28, 2015