Advanced firewall features

Content filtering with string matching

Content filtering feature can be optionally used for simple URL blocking and malicious content filter. However, do take note below limitations:

CONFIGURATION EXAMPLES

filter anything containing “playboy.com”, will match both URI and bodytext

!firewall-access 1 deny outbound eth0 tcp src 192.168.1.0/24 string playboy.comfirewall-access 2 deny outbound eth0 tcp src 192.168.1.0/24 string games.com!

deny vulnerability scan to web server

!firewall-access 3 deny inbound eth0 tcp dst 172.16.1.3 dport 80 string "GET /w00tw00t.at.ISC.SANS."!

deny malicious url attack to an web server

!firewall-access 4 deny inbound eth0 tcp dst 172.16.1.3 string “download?file=%2e%2e”!mbox# show firewall access-list  pkts bytes target     prot opt in     out     source               destination------------------------------------------------------------------------------   0     0 DROP       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* access-list 1 */ state NEW STRING match  "playboy.com" ALGO name bm TO 65535   0     0 DROP       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* access-list 2 */ state NEW STRING match  "games.com" ALGO name bm TO 65535   0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* access-list 3 */ state NEW STRING match  "GET /w00tw00t.at.ISC.SANS."   0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* access-list 4 */ state NEW STRING match  "download?file=%2e%2e"

DDoS prevention with rate limiting

mbox can limit packets passing through mbox at desirable rate to suppress some busty connections or prevent volumetric-based DDoS attacks. The simplest way to prevent volumetric-based DDoS attack is to limit per host/connection bandwidth usage so that the packets coming in or towards a target destination will not be overwhelmed.

CONFIGURATION EXAMPLES

limit “100 packets per second for every host in 192.168.1.0/24”

!firewall-limit 2 pps 100 10 all ip src 192.168.1.0/24firewall-limit 3 pps 100 10 all ip dst 192.168.1.0/24!

MAC address filtering

mbox can deny/permit specific hosts based on host MAC address (source host). Use the src_mac option.

Below example prevents host access through mbox. if you want to prevent the host to access sources on mbox (eg. ssh, http, etc), use firewall-input rules.

!firewall-access 10 deny all src_mac 18:5e:0f:70:e2:02 firewall-access 999 permit all!

Disable default firewall rules

mbox comes with a default set of firewall rules loaded when it boots up. Whatever new rules added from CLI are appended behind default rules. You can use "show firewall input-list all" or "show firewall access-list all" to view the default rules. The default rules are remarked as "DEFAULTHIDE99", for example


mbox# show firewall input-list all Chain INPUT (policy DROP 326 packets, 44656 bytes) 5297  792K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ state RELATED,ESTABLISHED    2   104 ACCEPT     tcp  --  *      *       49.128.58.64/28      0.0.0.0/0            /* DEFAULTHIDE99 */ tcp   12  4006 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ udp dpts:67:68    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18           /* DEFAULTHIDE99 */    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.5            /* DEFAULTHIDE99 */    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.6            /* DEFAULTHIDE99 */    0     0 ACCEPT     112  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */    0     0 ACCEPT     97   --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */    5  7500 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */    0     0 ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ udp dpt:500    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ udp dpt:4500    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ tcp dpt:8080    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ tcp dpt:8443    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */ udp dpts:3478:3479  273 16036 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* DEFAULTHIDE99 */    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0            /* input-list 100 */mbox# 

Note the default firewall rules are essential to permit some default services, however, sometimes it may be disirable to disable some default services due to coorporate security policy. For example, you may want to disable ping/ICMP and don't want to allow IPSec (ESP, UDP/500) etc. So we can use firewall-disable CLI to remove the default rules, 

below rule disables ICMP ping to mbox itself.

!firewall-disable input icmp!