The get config
command will show the configuration of the firewall,
including all rules in the firewall and the command get policy
will show all policies, aka rules, which gave me examples of existing rules
to check the syntax I should use for a new rule.
Looking at the list of existing rules, it appeared the next id for a rule number would be 17 in this firewall, but I decided to double-check to make sure I hadn't overlooked an existing one with that number.
ns5xp-> get policy id 17 Policy: Not found Failed command - get policy id 17
Since one couldn't be found, I used that number for the id of the policy I created. You can set a descriptive name for a rule using the name parameter, so I decided to label it as "Block infected system". The infected system was on the inside, i.e., the "Trust" side of the firewall and I wanted to block all traffic from it to the "Untrust" side, i.e., the Internet. The IP address of the infected system was 192.168.0.6, so I entered the command below:
ns5xp-> set policy id 17 name "Block infected system" from "Trust" to "Untrust" 192.168.0.6 "ANY" "ANY" deny ### Zone Trust->Untrust : following address(es) not defined: (src 192.168.0.6), Failed command - set policy id 17 name "Block infected system" from "Trust" to "Untrust" 192.168.0.6 "ANY" "ANY" deny
But the command failed, so I obviously had made a mistake. I realized I had to associate a name with the IP address before setting the policy, but didn't remember how to do that from a command prompt. Fortunately, you can enter the start of a command followed by a question mark and the NetScreen operating system will provide you with information on what you can enter next on the command line to complete the command, so I just added parameters followed by a question mark until I could complete the command.
ns5xp-> set address ? Trust Trust zone Untrust Untrust zone Global Global zone V1-Trust V1-Trust zone V1-Untrust V1-Untrust zone ns5xp-> set address "Trust" ? <name string> address name ns5xp-> set address "Trust" "Onda" ? <string> <a.b.c.d>/<num> IP Address/Netmask <a.b.c.d> IP Address ns5xp-> set address "Trust" "Onda" 192.168.0.6 ? <A.B.C.D> Network Mask ns5xp-> set address "Trust" "Onda" 192.168.0.6 255.255.255.255 ? <return> <string> address comment ns5xp-> set address "Trust" "Onda" 192.168.0.6 255.255.255.255 "Sue's PC" ns5xp->
I set the subnet mask to 255.255.255.255
, since that is the
appropriate mask to use when you are specifying a specific IP address rather
than a range of addresses.
I wanted to move the block rule up near the top of the list of rules, so
I used "before 2" to put it before the policy with id number 2 in the list.
I wanted to block traffic from the source system to any destination system on
any port, so used "ANY" "ANY"
and put deny
at the end of the policy definition to block all traffic from the system
named "Onda".
ns5xp-> set policy id 17 before 2 name "Block infected system" from "Trust" to "Untrust" "Onda" "ANY" "ANY" deny policy id = 17
I saw "policy id = 17" this time after entering the command, letting me know the rule was successfully set and I was able to verify that the system no longer could communicate outside the LAN. I left connectivity in place with other systems on the LAN temporarily until I could pull some files from the system for analysis on another system and push some troubleshooting tools to it before unplugging the network cable from the infected system.
For the set policy
command, the following options are
available:
ns5xp-> set policy ? before insert a policy default-permit-all permit if no policy match from from zone global set global policy id specify policy id move move a policy name specify policy name top put this policy as the first one in the list
I used set policy id 17 before 2 name "Block infected system" from
"Trust" to "Untrust"
. The next two parameters needed on the line were
as follows. They were needed in the order listed.
<name string> destination address name
<name string> service name
After those, you can use one of the following options:
deny deny packets
nat enable nat
permit permit packets
tunnel encrypt packets
By blocking access to "ANY" "ANY"
, I blocked access to all
destinations and all services, which blocked access to any port on any
destination sysem on the outside, i.e., "untrusted", side of the firewall.
The last parameter on the command line deny
blocks the
connectivity.
References:
Created: Tuesday January 6, 2015