| Home Prev |  NetShield 6000 Series Getting Started Guide
|
Next |
|---|
This section describes manually setting up public Internet access using the CLI and IPv4 addresses.
For this setup, it will be assumed that the G2 interface will be used for connection to the public Internet and the G1 interface will be used for connection to an internal, local network. However, any of the available Ethernet interfaces could be used for these purposes.
The first step is to set up a number of IPv4 address objects. If the interface used for Internet connection is G2 then this will have the IP address 203.0.113.10 which belongs to the network 203.0.113.0/24. It is also assumed that the ISP gateway's IPv4 address is 203.0.113.1.
![[Note]](images/note.png) |
Note |
|---|---|
|
Each installation's IP addresses for Internet connection will be different from the example IP addresses used in this section. |
Set the IP address of the G2 interface:
Device:/> set Address IPAddress G2_ip Address=203.0.113.10Also, set the network for this interface:
Device:/> set Address IPAddress G2_net Address=203.0.113.0/24In addition, it is recommended to set the broadcast IP address for the interface:
Device:/> set Address IPAddress G2_broadcast Address=203.0.113.255If the broadcast address is not set, it will take the default value of 127.0.2.255.
It is recommended to verify the properties of the G2 interface with the following command:
Device:/> show Interface EthernetInterface G2The typical output from this command will be similar to the following:
Property Value
----------------------------- --------------------
Name: G2
EthernetAddress: 0:<empty> 1:<empty>
HAType: Critical
MonitorTargets: <empty>
Backplane: No
EthernetDevice: 0:G2 1:<empty>
VLANOutboundPrio: 0
VLANOutboundPrioPolicy: Set (Set priority)
PrivateIP: 0:<empty> 1:<empty>
RouterAdvertisementProfile: DefaultProfile
MTU: 1500
IPAddress: G2_ip
IP4Broadcast: G2_broadcast
RoutingTableMembership: <all>
SecurityEquivalentInterfaces: <empty>
UseDHCP: <empty>
Comments: <empty>
Next, add an all-nets-ip4 route to the main routing table. This will route outgoing IPv4 Internet traffic through the G2 interface. This Route object must also specify the IP address of the ISPs gateway (the next router hop), so an IP address object needs to be created for this. If we call the object wan_gw, the command would be:
Device:/> add Address IPAddress wan_gw Address=203.0.113.1Now, create the route. This is done by changing the CLI context to be main routing table:
Device:/> cc RoutingTable mainThen, add the route to this routing table:
Device:/RoutingTable/main> add Route
Interface=G2
Network=all-nets-ip4
Gateway=wan_gwChange back to the default context:
Device:/RoutingTable/main>ccDevice:/>
Even though an all-nets-ip4 route exists, no traffic can flow without the addition of at least one IPRule object to allow the flow. Assume that web browsing to the Internet is to be allowed from the protected network on the interface G1. To do this, add an IP rule called lan_to_wan.
A default cOS Stream IP rule set called main always exists by default. Change the CLI context to be this rule set:
Device:/>cc RuleSet IPRuleSet mainDevice:/IPRuleSet/main>
Now, add the required IPRule object:
Device:/IPRuleSet/main> add IPRule
Action=Allow
SourceInterface=G1
SourceNetwork=G1_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=http
Name=lan_to_wan
This IP rule would be correct if the internal network hosts have public IPv4 addresses but in most scenarios this will not be true and internal hosts will have private IPv4 addresses. In that case, we must use NAT to send out traffic so that the apparent source IP address is the IP of the interface connected to the ISP. To do this, keep the Action property as Allow but add the SourceTranslation and SetSourceAddress properties to specify that NAT will be used and the address of the outgoing interface will be used as the source address:
Device:/IPRuleSet/main> add IPRule
Action=Allow
SourceInterface=G1
SourceNetwork=G1_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=http
SourceTranslation=NAT
SetSourceAddress=InterfaceAddress
Name=lan_to_wan
The service used in the IP rule is http and this will allow basic web browsing. Note that this service does not include the HTTPS protocol, so a custom service will need to be created for HTTPS and then this is used in a new ServiceGroup object which will be associated with an IP rule.
The http service also does not include the DNS protocol to resolve URIs into IP addresses. For configuration clarity, it is recommended to create a separate IP rule for DNS:
Device:/IPRuleSet/main> add IPRule
Action=Allow
SourceInterface=G1
SourceNetwork=G1_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=dns-all
SourceTranslation=NAT
SetSourceAddress=InterfaceAddress
Name=lan_to_wan_dns
Finally, change the CLI context back to the default context (this is sometimes called the root context):
Device:/IPRuleSet/main>ccDevice:/>
When adding IP rules later in this section, the changing between CLI contexts will not be explicitly stated. The context is indicated by the command prompt.
It is recommended that at least one DNS server is also defined in cOS Stream. This DNS server or servers (a maximum of three can be configured) will be used when cOS Stream itself needs to resolve URIs, which will be the case when a URI is specified in a configuration instead of an IP address. If we assume IP address objects called dns1_address and dns2_address have already been defined, the command to specify these as DNS servers is:
Device:/> set DNS DNSServers=dns1_address,dns2_address
Activating and Committing Changes
After any changes are made to a cOS Stream configuration, they will be saved as a new configuration but will not yet be activated. To activate all the configuration changes made since the last activation of a new configuration, the following command must be issued:Device:/> activateDevice:/> commitDHCP Server Setup
If the Clavister Firewall is to act as a DHCP server then this can be set up in the following way:First, define an IPv4 address object with the address range that will be handed out. Here, we will use the IPv4 range 192.168.1.10 - 192.168.1.20 as an example and this range will be available on the G1 interface which is connected to the protected internal network:
Device:/> add Address IPAddress dhcp_range
Address=192.168.1.10-192.168.1.20A DHCPServerRule is now configured using this IP address object for the relevant interface. In this case the G1 interface:
Change the CLI context to be DHCPServer:
Device:/> cc DHCPServerAdd a DHCPServerRule object:
Device:/DHCPServer> add DHCPServerRule my_dhcp_clients
IPAddressPool=dhcp_range
Interface=G1
Netmask=255.255.255.0
DefaultGateway=G1_ip
DNS1=dns1_addressChange back to the default context:
Device:/DHCPServer>ccDevice:/>
It is assumed that the IP address object dns1_address for the DNS server was created previously.
It is important to specify the default gateway for the DHCP server since this will be handed out to DHCP clients on the internal network so that they know where to find the public Internet. The default gateway is always the IP address of the interface on which the DHCP server is configured. In this case, the address G1_ip.
NTP Server Setup
Network Time Protocol (NTP) servers can optionally be configured to maintain the accuracy of the system date and time. The following commands set up synchronization with the NTP server at IPv4 address 10.5.4.76:Device:/> set DateTime TimeSyncEnabled=YesAdd the time server:Device:/>cc DateTimeDevice:/DateTime>
Device:/DateTime> add TimeServer IP=10.5.4.76 Name=my_tsrvDevice:/DateTime>ccDevice:/>
Syslog Server Setup
Although logging may be enabled, no log messages are captured unless a server is set up to receive them and Syslog is the most common server type. If the Syslog server's address is 192.0.2.55 then the command to create a log receiver object called my_syslog which enables logging is:Device:/> add LogReceiverSyslog my_syslog IPAddress=192.0.2.55Allowing ICMP Ping Requests
As a further example of setting up IP rules, it can be useful to allow ICMP Ping requests to flow through the firewall. It should be remembered that cOS Stream will drop any traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of external hosts on the Internet by computers on the internal network G1_net network.To set this up, add an IPRule object called allow_ping_outbound. This will be done in the IPRuleSet/main CLI context:
Device:/IPRuleSet/main> add IPRule
Action=Allow
SourceInterface=G1
SourceNetwork=G1_net
DestinationInterface=G2
DestinationNetwork=all-nets
Service=ping-outbound
SourceTranslation=NAT
SetSourceAddress=InterfaceAddress
Name=allow_ping_outbound
The IP rule again has the NAT action and this is necessary if the protected local hosts have private IPv4 addresses. The ICMP requests will be sent out from the Clavister Firewall with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and cOS Stream will then forward the response to the correct private IP address.
Adding a Drop All Rule
Scanning of the IP rule set is done in a top-down fashion. If no matching IP rule is found for a new connection then the default rule is triggered. This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop.In order to gain control over the logging of dropped traffic, it is recommended to create a drop all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and destination network set to all-nets and the source and destination interface set to any.
The service for this rule must also be specified and this should be set to all_services in order to capture all types of traffic. The command for creating this rule in the IPRuleSet/main CLI context is the following:
Device:/IPRuleSet/main> add IPRule
Action=Deny
SourceInterface=any
SourceNetwork=all-nets
DestinationInterface=any
DestinationNetwork=all-nets
Service=all_services
OnDeny=DropSilent
Name=drop_all
