Advanced firewall features

Content filtering with string matching

Content filtering feature can be optionally used for simple URL blocking and malicious content filter. However, do take note below limitations:

- mbox content filtering scans and drops unwanted packets, whether the packets are from body text or URL requests. So if the string pattern appears in the body text, the packet will be dropped as well.
- if the string pattern happens to be splitted into two packets, it will not be matched
- if the string contains space, we need to use “ “ to include the whole contents together.

CONFIGURATION EXAMPLES

filter anything containing “playboy.com”, will match both URI and bodytext

!firewall-access 1 deny outbound eth0 tcp src 192.168.1.0/24 string playboy.comfirewall-access 2 deny outbound eth0 tcp src 192.168.1.0/24 string games.com!

deny vulnerability scan to web server

!firewall-access 3 deny inbound eth0 tcp dst 172.16.1.3 dport 80 string "GET /w00tw00t.at.ISC.SANS."!

deny malicious url attack to an web server

!firewall-access 4 deny inbound eth0 tcp dst 172.16.1.3 string “download?file=%2e%2e”!mbox# show firewall access-list pkts bytes target prot opt in out source destination------------------------------------------------------------------------------ 0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* access-list 1 */ state NEW STRING match "playboy.com" ALGO name bm TO 65535 0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* access-list 2 */ state NEW STRING match "games.com" ALGO name bm TO 65535 0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* access-list 3 */ state NEW STRING match "GET /w00tw00t.at.ISC.SANS." 0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* access-list 4 */ state NEW STRING match "download?file=%2e%2e"

DDoS prevention with rate limiting

mbox can limit packets passing through mbox at desirable rate to suppress some busty connections or prevent volumetric-based DDoS attacks. The simplest way to prevent volumetric-based DDoS attack is to limit per host/connection bandwidth usage so that the packets coming in or towards a target destination will not be overwhelmed.

CONFIGURATION EXAMPLES

limit “100 packets per second for every host in 192.168.1.0/24”

!firewall-limit 2 pps 100 10 all ip src 192.168.1.0/24firewall-limit 3 pps 100 10 all ip dst 192.168.1.0/24!

MAC address filtering

mbox can deny/permit specific hosts based on host MAC address (source host). Use the src_mac option.

Below example prevents host access through mbox. if you want to prevent the host to access sources on mbox (eg. ssh, http, etc), use firewall-input rules.

!firewall-access 10 deny all src_mac 18:5e:0f:70:e2:02 firewall-access 999 permit all!

Disable default firewall rules

mbox comes with a default set of firewall rules loaded when it boots up. Whatever new rules added from CLI are appended behind default rules. You can use "show firewall input-list all" or "show firewall access-list all" to view the default rules. The default rules are remarked as "DEFAULTHIDE99", for example

mbox# show firewall input-list all Chain INPUT (policy DROP 326 packets, 44656 bytes) 5297 792K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ state RELATED,ESTABLISHED 2 104 ACCEPT tcp -- * * 49.128.58.64/28 0.0.0.0/0 /* DEFAULTHIDE99 */ tcp 12 4006 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ udp dpts:67:68 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18 /* DEFAULTHIDE99 */ 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.5 /* DEFAULTHIDE99 */ 0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.6 /* DEFAULTHIDE99 */ 0 0 ACCEPT 112 -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ 0 0 ACCEPT 97 -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ 5 7500 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ udp dpt:500 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ udp dpt:4500 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ tcp dpt:8080 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ tcp dpt:8443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ udp dpts:3478:3479 273 16036 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* DEFAULTHIDE99 */ 0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 /* input-list 100 */mbox#

Note the default firewall rules are essential to permit some default services, however, sometimes it may be disirable to disable some default services due to coorporate security policy. For example, you may want to disable ping/ICMP and don't want to allow IPSec (ESP, UDP/500) etc. So we can use firewall-disable CLI to remove the default rules,

below rule disables ICMP ping to mbox itself.

!firewall-disable input icmp!