| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Overview
The Clavister NetShield Firewall has the ability to Blacklist and Whitelist certain IP addresses. Traffic from a blacklisted IP is dropped by cOS Stream. Traffic from a whitelisted IP address is never blacklisted.The sections that follow discuss these two functions in depth.
Overview
The Clavister NetShield Firewall implements a Blacklist of traffic types which can be utilized to protect against traffic coming from specific Internet sources.Certain subsystems have the ability to optionally blacklist an IP address when certain conditions are encountered. These subsystems are:
![[Note]](images/note.png) |
Note: A system restart will empty the blacklist |
|---|---|
|
The contents of the blacklist are lost between system restarts. |
Blacklist Entry Data
Each entry in the blacklist holds the following set of data fields:SourceInterface - The source interface of the blacklisted traffic.
SourceIP - The source IP address of the blacklisted traffic. This must be a single IP address.
DestinationIP - The destination IP of the blacklisted traffic. If specified manually this must be a single IP address. This property will take a default value of all-nets if not specified.
Proto - The protocol of the blacklisted traffic.
Port/ID - The port of the blacklisted traffic where the port is applicable (such as for TCP or UDP traffic). For ICMP traffic, the ID can be specified instead.
When adding a blacklist entry manually, the entry will not be added if an invalid protocol is specified.
Timeout - The number of remaining seconds an entry will remain on the list. If available, this value comes from the triggering object. A value of zero means an indefinite timeout, in which case it is displayed as n/a and the entry can only be removed manually or through a system restart.
Trigger Object - The name of the configuration object that added the blacklist entry.
Trigger System - The subsystem that added the entry. For example, the Threshold subsystem. This will say CLI if the entry was added manually.
When a rule, such as a threshold rule, is the triggering object and its action specifies to blacklist the traffic, an entry in the blacklist is created and many of the properties listed above are assigned the corresponding values from the triggering object.
The Service object used in the triggering object is not copied directly to the blacklist entry. Instead, it is broken down into its components and these are assigned to the Proto and Port properties of the blacklist entry. This is because the entries in the blacklist are not configuration objects as they are with the whitelist.
The administrator can manually add, list and delete blacklist entries using the CLI command blacklist. It is also possible to display the entries in the Whitelist configuration object but not edit it. Editing the whitelist is discussed in Section 25.2, Whitelisting.The basic form of the command without options will list both the current blacklist and whitelist:
System:/> blacklist
Whitelisted Addresses
Source Interface Source IP Destination IP Service
---------------- --------------- -------------- -------
if1 203.0.113.9 all-nets all_tcp
Blacklisted Addresses
Source Source Dest Dest Trigger Trigger
Proto Iface IP IP Port/ID Timeout System Object
------ ------ ------------ --------- -------- -------- --------- -------
ALL if1 203.0.113.1 all-nets 0-65535 n/a CLI n/a
To get just the blacklist or just the whitelist, use the -show=blacklist or -show=whitelist options:
System:/> blacklist -show=blacklistThe option -show=all is the same as blacklist with no options.
Manually Adding a Blacklist Entry
To manually add a blacklist entry, use the -add option. The following command blocks the source IPv4 address 203.0.113.2 arriving at the if1 interface:System:/> blacklist -add -srciface=if1 -srcip=203.0.113.2
Added entry to blacklist:
Source Source Dest Dest
Proto Iface IP IP Port/ID Timeout
------ ------- ----------- --------- --------- -------
ALL if1 203.0.113.2 all-nets 0-65535 n/aSystem:/> blacklist -add -srciface=if1 -srcip=my_bad_src_addressAlso, as a minimum, the -srcip and -srciface options must both be specified when adding a blacklist entry. The destination IP will default to all-nets if not specified and the Proto and Port properties will match all protocols if not specified (as shown in the example above).
Manually adding whitelist entries is done by adding WhitelistRule object as children to the predefined Whitelist configuration object. This is discussed in Section 25.2, Whitelisting.
Manually Removing a Blacklist Entry
It is possible to manually remove a blacklist entry with the -remove option. Like adding an entry, at least the -srciface and -srcip options must be specified:System:/> blacklist -remove -srciface=if1 -srcip=203.0.113.2Searching for Blacklist Entries
The -lookup option will list blacklist entries that match a set of criteria. To display all entries with a source IP of 203.0.113.2, the command would be the following:System:/> blacklist -lookup -srcip=203.0.113.2
Matched Blacklist Entries
Source Source Dest Dest Trigger Trigger
Proto Iface IP IP Port/ID Timeout System Object
----- ------ ----------- -------- ------- ------- --------- -------
ALL if1 203.0.113.2 all-nets 138 42 Threshold myrule1