3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

101

102

103

104

105

106

107

108

109

110

110 CHAPTER 7: FIREWALL CONFIGURATION

# Configure ACL 3111 to refuse all TCP and UDP traffic to enter internal network.

ASPF will create a temporary ACL for traffic that is permitted to pass.

[secblade] acl number 3111

[secblade-acl-adv-3111] rule deny ip

# Create ASPF policy, with a policy number of 1. The policy detects two protocols

on application layer, FTP and HTTP, and defines the timeout time of FTP in case of

no actions as 3,000 seconds.

[secblade] aspf-policy 1

[secblade-aspf-policy-1] detect ftp aging-time 3000

[secblade-aspf-policy-1] detect http java-blocking 2001 aging-time

3000

# Configure ACL 2001 so as to filter Java Applets from the site 202.0.0.2.

[secblade] acl number 2001

[secblade-acl-basic-2001] rule deny source 202.0.0.1 0

[secblade-acl-basic-2001] rule permit

# Apply the ASPF policy on the interface.

[secblade] interface GigabitEthernet 0/0.2

[secblade-GigabitEthernet0/0.2] firewall aspf 1 outbound

# Apply ACL 3111 on the interface.

[secblade-GigabitEthernet0/0.2] firewall packet-filter 3111 inbound

Black List

Introduction to Black List Black list is to filter packets based on source IP address of packets. Compared with

ACL, the zones for black list to match are much simpler, and so it can filter packets

in a high speed, which effectively shields the packets sent from the specific IP

address. The most important feature of black list is that it can be added

dynamically by the firewall module. When firewall discovers the attack attempt of

a specific IP address based on the packet action, it can automatically modify its

black list to filter all the packets sent from the specific address. This is one of

security features of firewall.

Creating black list

Black list creation has two approaches: manual creation through command lines

and dynamic creation by some modules of the firewall.

1 Creation through command lines

The following command is used to create a black list entry.

firewall blacklist sour-addr [ timeout minutes ]

Black list entry is created based on IP address. If identical IP address is configured in

the black list, the newly configured entry will replace the old one. Without the

parameter timeout minutes, a permanent entry is configured, that is, it will not