Objectives: As a Brocade Certified vRouter Engineer, you must be able to demonstrate the ability to install, configure and troubleshoot features of Brocade Vyatta Network OS.
Target: This course is for anyone tasked with configuring or managing the Brocade Vyatta vRouter. This course also for those who are preparing to take the BCVRE Certification Exam.
Course prerequisites: Before taking these bundled courses, students should have basic IT networking experience, including working knowledge of TCP/IP.
- Stateful firewalls
- The Firewall Rulebase
- State-Based Rules
- Applying Rulebases
A firewall is a device that blocks unwanted traffic from entering your network.
Stateful firewalls unlike a traditional router access list.
- Firewall tracks information about sessions between devices, and not just individual packets.
The first packet in a session passes through the firewall rules. If the rules permit the traffic, the firewall not only passes the traffic, but adds information about the session to its session table, called the conntrack table in the vRouter.
- All other packets in the session match the entry in the session table and are permitted without having to look at the firewall rules again.
Stateful firewalls can also automatically allow the reverse- direction flow of a session without needing any additional rules.
vRouter packet processing
In the vRouter, the firewall filtering function occurs after destination NAT and the routing lookup, but before source NAT. When configuring firewall filter rules, you need to consider whether the traffic you want to filter is being translated in order to configure the correct addresses in your rules.
The Firewall Rulebase
firewall rulebase is simply a list of individual firewall rules. Each rule includes.
- Match criteria: the traffic you want to filter
- Source and destination addresses
- Source and destination port
- Action: the action to take on a packet that matches the filter
In the vRouter, each rulebase has a unique name. You can create as many different rulebases as you need to support your security requirements, and can apply the same rulebase to multiple locations.
Each rulebase is an ordered list, with each rule having a unique number within the list.
When the vRouter compares a packet with the rulebase, it starts with the first rule in the list, and continues until a match is found.
- Once a match is found, the device performs the action for that rule and does not look any further.
- This means that the order of your list is important.
- You should specify the most specific rules first in the list, then add your more general rules later in the list.
You also need to remember that the default action for a list is to drop traffic, so if a packet arrives at a firewalled interface and does not match a rule, the packet will not go through the router.
Scenario, add Firewall in R2:
- Block PING from R1 to R3
- Allow TELNET from R1 to R3
- Block SSH from R1 to R3
R1 Basic Configuration
R2 Basic Configuration
R3 Basic Configuration
R2 Firewall Configuration
Verify R2 Firewall
Verify R2 Firewall
vRouter firewall operations are stateful, and you mayneed to add rules regarding statefulness to your rulebases, depending on the flow of traffic in your network and where you place your firewalls.
On a vRouter, you have two options for applying firewalls:
- Individual interfaces. Each interface can have one rulebase in each direction – one for inbound traffic, and one for outbound traffic.
- Zones. A zone is a group of interfaces. You create the zone and specify which interfaces are included in the zone, then apply the rulebase to the zone.
R2 State Rulebases Configuration
R2 Verify State Rulebases
The End of The Word
That’s information “Supporting BCVRE Study Guide Chapter 6 Firewalls” who can admin infosolution.biz convey. Hope it is useful.
If you liked this article, don’t forget to click on the bell on the bottom right to get our updated information. And follow along too fans page facebook , chanel youtube and we instagram. Apart from that, we also have a collection of source code at GitHub. Thank you