- Foundry Router User Guide
Foundry AR-Series Router User Guide
15 - 52 © 2004 Foundry Networks, Inc. June 2004
Step 5: Verify the firewall policy for Security Zone CORP:
Step 6: Verify that the HTTP filter object in Security Zone CORP is created as configured:
Step 7: Create policies for Security Zone DMZ that:
• Create an object of type nat-pool with private IP address of FTP server
• Create an object of type ftp-filter to deny put and mkdir commands
• Create a firewall policy to allow inbound traffic to FTP server public IP address (193.168.94.221) of priority
100
• Modify policy 100 to add NAT pool object to translate incoming traffic for FTP server from public IP to private
IP.
• Modify policy 100 to add an FTP filter.
Foundry/configure#
Foundry/configure/firewall corp#
Foundry/configure/firewall corp#
Foundry/configure/firewall corp# policy 1024 out
Foundry/configure/firewall corp/policy 1024 out# exit
Foundry/configure/firewall corp# policy 1021 in deny
Foundry/configure/firewall corp/policy 1021 in# exit
Foundry/configure/firewall corp# object
Foundry/configure/firewall corp/object# http-filter javadeny deny
*.java
Foundry/configure/firewall corp/object# exit
Foundry/configure/firewall corp# policy 1024 out nat-ip
193.168.94.220
Foundry/configure/firewall corp/policy 1024 out# apply-object http-
filter javadeny
Foundry/configure/firewall corp/policy 1024 out# exit
Foundry/configure/firewall corp# exit
Foundry/configure# show firewall policy corp
Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
E - Policy Enabled, M - Smtp-Filter
Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
--- --- ----------- ---------------- ----------------- ------ --------
1021 in any any any any any DENY E
1022 out any any any any any PERMIT SE
1023 in any any any any any PERMIT SE
1024 out any any any any any PERMIT HNE
Foundry/configure# show firewall object http-filter corp
Object Name Action Log File Extensions
----------- ------ --- ---------------
javadeny deny no *.java
Foundry/configure#