3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

101

102

103

104

105

106

107

108

109

110

102 CHAPTER 7: FIREWALL CONFIGURATION

# Add the sub-interface of the internal network to the trust zone.

[secblade] firewall zone trust

[secblade-zone-trust] add interface GigabitEthernet 0/0.1

[secblade-zone-trust] quit

# Add the sub-interface of the external network to the untrust zone.

[secblade] firewall zone untrust

[secblade-zone-untrust] add interface GigabitEthernet 0/0.2

[secblade-zone-untrust] quit

# Configure the static route.

[secblade] ip route-static 0.0.0.0 0 50.0.0.1

[secblade] ip route-static 15.0.0.0 24 30.0.0.1

[secblade] ip route-static 20.0.0.0 24 30.0.0.1

# Enable the firewall on the Firewall module.

[secblade] firewall packet-filter enable

# Create ACL 3002.

[secblade] acl number 3002

# Configure to only allow the specific external user to access the internal server

from the external network and prohibit it from accessing other resources of the

internal network.

[secblade-acl-adv-3002] rule permit tcp source 210.1.5.1 0 destination

20.0.0.1 0 destination-port eq 80

[secblade-acl-adv-3002] rule permit tcp source 210.1.5.1 0 destination

20.0.0.1 0 destination-port eq 25

[secblade-acl-adv-3002] rule deny ip

# Apply the ACL 3002 to the incoming data stream of the external sub-interface.

[secblade-GigabitEthernet0/0.2] firewall packet-filter 3002 inbound

Configuration Example

of Fragment Packet

Filtering Through Packet

Filtering Firewall

Network requirements

The company accesses the Internet through Ethernet1/0/0 on a 3Com security

gateway that is connected the internal network through Ethernet0/0/0. It provides

WWW and Telnet services externally. The corporate internal subnet address is

200.1.1.0/24; the internal WWW server address is 200.1.1.1; the internal Telnet

server address is 200.1.1.2, and the address of the external interface

Ethernet1/0/0 of the security gateway is 202.38.160.1.

To guard the internal WWW server and Telnet server against fragment packet

attacks from outside, an ACL is applied on the inbound traffic through the

external interface of the security gateway to prevent fragment packets from

reaching the internal server.