No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Matching Conditions

Matching Conditions

The device supports various ACL matching conditions. This section describes the commonly used conditions.

Time Range

Format: time-range time-name

All ACLs support packet filtering based on time ranges. For details about time ranges, see Time Range.

Protocol Type Carried by IP

Format: protocol-number | icmp | tcp | udp | gre | igmp | ip | ipinip | ospf

An advanced ACL can filter packets based on protocol types, such as ICMP (protocol number 1), TCP (protocol number 6), UDP (protocol number 17), GRE (protocol number 47), IGMP (protocol number 2), IP (any IP layer protocol), IPinIP (protocol number 4), and OSPF (protocol number 89). The protocol number ranges from 1 to 255.

For example, to forbid user access on an interface connected to a large number of attackers, specify the protocol type as IP to discard all IP traffic on the interface. The configuration is as follows:
rule deny ip //Reject IP packets.
After transparent firewall function is enabled on a device, the transparent firewall discards all packets entering the interzone by default, including service and protocol packets. If you require the packets of a dynamic routing protocol, such as OSPF, to pass through the transparent firewall, specify the protocol type as OSPF.
rule permit ospf  //Permit OSPF packets.

Source/Destination IP Addresses and Wildcard Masks

Format of source IP address and wildcard mask: source { source-address source-wildcard | any }

Format of destination IP address and wildcard mask: destination { destination-address destination-wildcard | any }

A basic ACL can filter packets based on source IP addresses; an advanced ACL can filter packets based on both source and destination IP addresses.

When the source and destination IP addresses are specified as matching conditions, the wildcard masks must be specified for them to determine address ranges.

The IP address wildcard mask format is the same as the inverse subnet mask format (32-bit numeric string). The wildcard mask specifies the digits in the IP address to be checked. Among the bits in a mask, the value 0 indicates "check" and the value 1 indicates "not check." An IP address subnet mask must have continuous 0s and 1s, whereas a wildcard mask can have discontinuous 0s and 1s.

The wildcard mask can be 255.255.255.255 or 0 (equivalent to 0.0.0.0). The value 255.255.255.255 indicates any IP address, which is equivalent to the any keyword. The value 0 indicates that the source/destination address is a host address.

For example, configure a rule with an IP address wildcard mask specified to permit all IP packets from network segment 192.168.1.0/24:

rule 5 permit ip source 192.168.1.0 0.0.0.255

In this rule, the wildcard mask is 0.0.0.255, indicating that only the bits in the binary bytes in the first three groups in the IP address are checked. Therefore, if the first 24 bits in the source IP address are the same as the first 24 bits in the specified IP address (192.168.1), it indicates that the packets are sent from source IP address segment 192.168.1.0/24, and are permitted. Table 5-3 illustrates how the address range is calculated.

Table 5-3  Wildcard mask example

Item

Decimal

Binary

Specified IP address

192.168.1.0

11000000.10101000.00000001.00000000

Wildcard mask

0.0.0.255

00000000.00000000.00000000.11111111

Determined address range

192.168.1.*

* indicates an integer between 0 and 255.

11000000.10101000.00000001.xxxxxxxx

x can be 0 or 1.

For more examples of determining an address range by IP address and wildcard mask, see Table 5-4.

Table 5-4  Determining address ranges by IP addresses and wildcard masks

IP Address

IP Address Wildcard Mask

Determined Address Range

0.0.0.0

255.255.255.255

Any IP address

172.18.0.0

0.0.255.255

IP addresses on network segment 172.18.0.0/16

172.18.5.2

0.0.0.0

Only host address 172.18.5.2

172.18.8.0

0.0.0.7

IP addresses on network segment 172.18.8.0/29

172.18.8.8

0.0.0.7

IP addresses on network segment 172.18.8.8/29

10.1.2.0

0.0.254.255 (discontinuous 1s and 0s in wildcard mask)

IP addresses that are in the range of 10.1.0.0/24 and 10.1.254.0/24 and have an even number in the third byte, for example, 10.1.0.0/24, 10.1.2.0/24, 10.1.4.0/24, and 10.1.6.0/24

Source/Destination MAC Addresses and Wildcard Masks

Format of source MAC address and wildcard mask: source-mac source-mac-address [ source-mac-mask ]

Format of destination MAC address and wildcard mask: destination-mac dest-mac-address [ dest-mac-mask ]

Only the Layer 2 ACL can filter packets based on source and destination MAC addresses.

When the source and destination MAC addresses are specified as matching conditions, the wildcard masks can be specified for them to determine address ranges.

The formats of a MAC address wildcard mask and a MAC address are the same. Both of them are in hexadecimal format. A MAC address wildcard mask consists of six bytes (48 bits) to indicate the bits in a MAC address to be checked. Different from those in an IP address wildcard mask, the value 1 in the MAC address wildcard mask indicates "check" and the value 0 indicates "not check." If the wildcard mask is not specified, the default mask ffff-ffff-ffff is used, indicating that every bit in a MAC address is checked.

Table 5-5 illustrates how a MAC address and a wildcard mask determine an address range.

Table 5-5  Determining address ranges by MAC addresses and wildcard masks

MAC Address

MAC Address Wildcard Mask

Determined Address Range

00e0-fc01-0101

0000-0000-0000

Any MAC address

00e0-fc01-0101

ffff-ffff-ffff

Only 00e0-fc01-0101

00e0-fc01-0101

ffff-ffff-0000

00e0-fc01-0000 to 00e0-fc01-ffff

VLAN ID and Mask

Format of outer VLAN ID and mask: vlan-id vlan-id [ vlan-id-mask ]

Format of inner VLAN ID and mask: cvlan-id cvlan-id [ cvlan-id-mask ]

A Layer 2 ACL can filter packets based on outer and inner VLAN IDs.

When the VLAN IDs are configured as matching conditions, the VLAN mask can be specified behind the VLAN IDs to determine a VLAN range.

A VLAN mask is in the hexadecimal format, ranging from 0x0 to 0xFFF. If the VLAN mask is not specified, the default mask 0xFFF is used, indicating that every bit in the VLAN ID is checked.

Table 5-6 illustrates how a VLAN ID and a mask determine a VLAN range.

Table 5-6  Determining VLAN ranges by VLAN IDs and masks

VLAN ID

VLAN Mask

Determined VLAN Range

10

0x000

Any VLAN

10

0xFFF

Only VLAN 10

10

0xFF0

VLAN 1 to VLAN 10

TCP/UDP Port Number

Format of source port number: source-port { eq port | gt port | lt port | range port-start port-end }

Format of destination port number: destination-port { eq port | gt port | lt port | range port-start port-end }

When the protocol type of an advanced ACL is specified as TCP or UDP, the device can filter packets based on TCP or UDP source/destination port numbers.

The operators of specifying TCP/UDP port numbers are as follows:
  • eq port: equivalent to the source/destination port number.
  • gt port: greater than the destination/source port number.
  • lt port: less than the source/destination port number.
  • range port-start port-end: source/destination port number range. port-start indicates the start port number, and port-end indicates the end port number.

The TCP/UDP port numbers can be represented by numeric or character strings (alias). For example, rule deny tcp destination-port eq 80 can be represented by rule deny tcp destination-port eq www. Table 5-7 and Table 5-8 list the commonly used TCP ports and UDP ports respectively, and provide the corresponding character strings.

Table 5-7  Commonly used TCP ports and character strings

Port Number

Character String

Protocol

Description

7 echo Echo Echo service.
9 discard Discard Null service used for connectivity test.
13 daytime Daytime Daytime protocol.
19 CHARgen Character generator Character Generator Protocol.
20 ftp-data FTP data connections FTP data port.
21 ftp File Transfer Protocol(FTP) File Transfer Protocol (FTP) port.
23 telnet Telnet Telnet service.
25 smtp Simple Mail Transport Protocol (SMTP) Simple Mail Transfer Protocol (SMTP).
37 time Time Time protocol.
43 whois Nickname (WHOIS) Directory service.
49 tacacs TAC Access Control System (TACACS) Access control system based on TCP/IP authentication (TACACS login host protocol)
53 domain Domain Name Service (DNS) Domain name service.
70 gopher Gopher Information index protocol (document searching and indexing on the Internet)
79 finger Finger Queries online user information on a remote host.
80 www World Wide Web (HTTP) Protocol used by the WWW service. HTTP is used to browse web pages.
101 hostname NIC hostname server Host name service on the NIC machine.
109 pop2 Post Office Protocol v2 Email protocol version 2.
110 pop3 Post Office Protocol v3 Email protocol version 3.
111 sunrpc Sun Remote Procedure Call (RPC) RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
119 nntp Network News Transport Protocol (NNTP) Network News Transfer Protocol for retrieval of newsgroup messages. It carries USENET.
179 bgp Border Gateway Protocol (BGP) Border Gateway Protocol (BGP).
194 irc Internet Relay Chat (IRC) Internet Relay Chat (IRC) protocol.
512 exec Exec (rsh) Authenticates remote process.
513 login Login (rlogin) Remote login.
514 cmd Remote commands Used to execute non-interactive commands on a remote system (rshell, rcp).
515 lpd Printer service Line Printer Daemon. It is a print service.
517 talk Talk Remotely talks with server and client.
540 uucp Unix-to-Unix Copy Program Unix-to-Unix copy protocol.
543 klogin Kerberos login Kerberos login protocol version 5.
544 kshell Kerberos shell Kerberos Remote shell protocol version 5.
Table 5-8  Commonly used UDP ports and character strings

Port Number

Character String

Protocol

Description

7 echo Echo Echo service.
9 discard Discard Null service used for connectivity test.
37 time Time Time protocol.
42 nameserver Host Name Server Host name service.
53 dns Domain Name Service (DNS) Domain name service.
65 tacacs-ds TACACS-Database Service TACACS database service.
67 bootps Bootstrap Protocol Server Bootstrap Protocol (BOOTP) Server, also used by Dynamic Host Configuration Protocol (DHCP).
68 bootpc Bootstrap Protocol Client Bootstrap Protocol (BOOTP) Client, also used by Dynamic Host Configuration Protocol (DHCP).
69 tftp Trivial File Transfer Protocol (TFTP) Trivial File Transfer Protocol (TFTP).
90 dnsix DNSIX Security Attribute Token Map DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map.
111 sunrpc SUN Remote Procedure Call (SUN RPC) RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
123 ntp Network Time Protocol (NTP) Network Time Protocol (NTP), which may be utilized by worm virus.
137 netbios-ns NETBIOS Name Service NETBIOS name service.
138 netbios-dgm NETBIOS Datagram Service NETBIOS datagram service.
139 netbios-ssn NETBIOS Session Service NETBIOS session service.
161 snmp SNMP Simple Network Management Protocol (SNMP).
162 snmptrap SNMPTRAP SNMP trap.
177 xdmcp X Display Manager Control Protocol (XDMCP) X Display Manager Control Protocol (XDMCP).
434 mobilip-ag MobileIP-Agent Mobile IP agent.
435 mobilip-mn MobileIP-MN Mobile IP management.
512 biff Mail notify Notifies user of received emails.
513 who Who Login user list.
514 syslog Syslog UNIX system log service.
517 talk Talk Remotely talks with server and client.
520 rip Routing Information Protocol RIP routing protocol.

TCP Flag

Format: tcp-flag { ack | established | fin | psh | rst | syn | urg }*

When the TCP protocol is specified in an advanced ACL, the device filters packets based on the TCP flag.

A TCP packet header contains six flag bits:
  • URG(100000): indicates that the Urgent pointer field is significant.

  • ACK(010000): indicates that the Acknowledgment field is significant.

  • PSH(001000): push function. Asks to push the buffered data to the receiving application.

  • RST(000100): resets the connection.

  • SYN(000010): synchronizes sequence numbers to initiate a connection.

  • FIN(000001): no more data from sender.

The established field in TCP flags indicates that the flag bit is ACK(010000) or RST(000100).

The ACL rule with the tcp-flag keyword specified can implement unidirectional access control. For example, it is required that users on network segment 192.168.1.0/24 can access network segment 192.168.2.0/24, but users on network segment 192.168.2.0/24 cannot access network segment 192.168.1.0/24. To meet this requirement, you can apply an ACL rule to the inbound direction of the interface connecting to network segment 192.168.2.0/24.

From TCP connection setup to teardown only the packets used for TCP connection establishment can have the ACK value of 1 and RST value of 1. According to this characteristic, configure the following ACL rules to permit the packets used for establishing TCP connections and deny other TCP packets on the network segment 192.168.2.0/24. In this way, you can limit the TCP connection requests initiated from this network segment.

  • Rule 1: Configure an ACL rule with the ack and rst keywords specified.

    rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack  //Permit the TCP packets with the ACK value of 1.       
    rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst   //Permit the TCP packets with the RST value of 1.
    rule 15 deny tcp source 192.168.2.0 0.0.0.255  //Reject other TCP packets.
    
  • Rule 2: Configure an ACL rule with the established keyword specified.

    rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established  //established indicates that ACK is 1 or RST is 1. The packets exchanged during TCP connection established are permitted.
    rule deny tcp source 192.168.2.0 0.0.0.255     //Reject other TCP packets.
    

IP Fragmentation

Format: none-first-fragment

A basic ACL and an advanced ACL can filter packets based on IP fragmentation information.

The fragments of an IP packet include the initial fragment and non-initial fragments. Only the initial fragment contains Layer 4 information, such as TCP and UDP port numbers. A network device checks whether a received fragment is the last fragment. If the fragment is not the last, the device allocates memory space for it, and reassembles the fragments after the last fragment is received. However, an exploit exists whereby an attacker may send fragments to a device without sending the last fragment. Because the device cannot release memory until the last fragment is received and all fragments are reassembled, if a large enough number of fragments are sent in a short period, the device cannot process other services due to insufficient memory resources. To mitigate such an attack, the device starts a reassembling timer. If reassembly cannot be finished before the timer expires, the device returns an ICMP Error packet to the sender; if reassembly cannot be finished after the timer expires, the device discards the fragments stored in memory.

To prevent fragment packet attacks, you can specify the none-first-fragment keyword in an ACL rule to block non-initial fragments.

Table 5-9 describes how the ACLs process non-fragment packets, initial fragments, and non-initial fragments.

Table 5-9  IP packet processing methods

Matching Conditions

Non-fragment Packets

Initial Fragments

Non-initial Fragments

Layer 3 information (such as source/destination IP addresses)

When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

Layer 3 information and Layer 4 information (such as TCP and UDP port numbers)

When packets match both Layer 3 and Layer 4 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

When packets match both Layer 3 and Layer 4 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

The packets do not match the rule, so the next rule is processed.

Layer 3 information and none-first-fragment

The packets do not match the rule, so the next rule is processed.

The packets do not match the rule, so the next rule is processed.

When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

For example, ACL 3012 contains the following rules:

#                                   
acl number 3012                                                                 
 rule 5 deny tcp destination 192.168.2.2 0 none-first-fragment                  
 rule 10 permit tcp destination 192.168.2.2 0 destination-port eq www           
 rule 15 deny ip                                                                
#  
  • This packet is a non-fragment packet or initial fragment: If the destination port number is 80 (WWW), this packet matches rule 10 and is permitted; otherwise, the packet matches rule 15 and is discarded.

  • The packet is a non-initial fragment: The packet matches rule 5 and is discarded.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112004

Downloads: 204

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next