set service
command. E.g., suppose
I want to be able to establish an SSH connection from any system on the
external untrusted side of the firewall to an internal SSH server with
an IP address of 192.168.0.5 on the trusted side of the firewall that is
listening on the non-standard port of 2005 for SSH connections.
If I haven't yet created an address book entry for the SSH server, I
can use the set address
command to create it. E.g, if
I wanted to create an IP address for a system named Auburn with
an IP address of 192.168.0.1 on the trust side of the firewall,
I could use the command below:
ns5xp-> set address trust "Auburn" 192.168.0.1 255.255.255.255
The IP address is followed by the subnet mask. Since I am assigning just one IP address to the name, not a range of addresses, the subnet mask is 255.255.255.255.
If I made a mistake in entering the IP address or it later is changed, I can't just issue the "set address" command again with the new IP address. If I try that, the firewall will respond with "duplicate entry".
ns5xp-> set address trust "Auburn" 192.168.1.5 255.255.255.255 Address: Duplicate entry Failed command - set address trust "Auburn" 192.168.0.5 255.255.255.255 ns5xp->
Instead, first I must unset the existing entry. Then I can add the modified entry to the address book.
ns5xp-> unset address trust "Auburn" ns5xp-> set address trust "Auburn" 192.168.1.5 255.255.255.255 ns5xp->
After I've set the address book entry, I can create a new custom service, which I'll call "Auburn SSH". I specify the protocol is TCP. The source port for any system that is connecting to the SSH server can be any port from 1,024 up to the maximum port number of 65,535. I started with 1,024, since the port numbers from 0 to 1,023 are well-known", aka "system" ports and an SSH client should not be using one of those ports for its source port. For the destination port on the server, the server will be listening on port 2005, so the range of allowed ports is just one.
ns5xp-> set service "Auburn SSH" protocol tcp src-port 1024-65535 dst-port 2005-2005
Now that I've created the address book entry and the custom service, I can configure a firewall policy to allow connections through the firewall from any system on the untrust side to the SSH server on the trust side.
ns5xp-> set policy from untrust to trust Any Auburn "Auburn SSH" permit log policy id = 17 ns5xp->
The policy is for connectivity from the untrust to the trust side with
any IP address allowed as the source address on the untrust side. The
destination is the system named Auburn in the address book and the next
parameter is the service name, which is "Auburn SSH". The connectivity is
allowed so I specify "permit" rather than "deny" and I appended log
so that connections will be logged.
Created: Sunday July 19, 2015