Using FILTCFG for Filter Configuration

These sections tell you how to use FILTCFG on a Novell BorderManager 3.8 server:


Setting Up Outbound Packet Filter Exceptions

Because the default filters don't automatically allow certain packet types to cross the firewall, you might also need to enable filter exceptions to enable other services.

The system-defined packet types enable you to configure stateful packet filter exceptions for the following services:

With stateful (dynamic) packet filtering, you only need to define the exceptions that allow specific types of outbound traffic going to specific destinations to be forwarded by the Novell BorderManager 3.8 server. Stateful packet filtering monitors each connection and creates a temporary (time-limited) filter exception for the inbound connection. This allows you to block incoming traffic originating from a particular port number and address, while still allowing return traffic from that same port number and address.

Stateful packet filters track the outgoing packets allowed to pass and allows only the corresponding response packets to return. When the first packet is transmitted to the public network (Internet), a reverse filter is dynamically created. To be counted as a response, the incoming packet must be from the same host and port to which the outbound packet was originally sent.

To configure stateful packet forwarding exceptions to forward outbound traffic through the Novell BorderManager 3.8 server:

  1. At the server console prompt, enter

    LOAD FILTCFG

  2. From the Filter Configuration Available Options menu, select Configure Interface Options, then press Enter.

  3. Select an interface from the list, then press Tab to switch between Public and Private.

    Any interface listed can be designated as either a public (external) interface or a private (internal) interface.

  4. Press Esc, then select Configure TCP/IP Filters, then Packet Forwarding Filters.

    The screen displayed should appear similar to the following.

    Figure 10
    Packet Forwarding Filters Screen

  5. Complete the following steps:

    • If the status is Disabled, press Enter, select Enabled, then press Enter again. Any TCP/IP filters previously configured become active immediately.
    • If the action is Permit Packets in Filter List, press Enter, select Deny Packets in Filter List, then press Enter again. Packets matching the types listed in the filter list will not be forwarded by the Novell BorderManager 3.8 server.

  6. Select Filters, then press Enter to display the filter list.

    A default filter set up during installation blocks all inbound IP packets coming from the public interface.

  7. Press Esc.

  8. Select Exceptions, then press Enter to display the exceptions list.

    A default filter exception that is set up during installation allows all outbound IP packets to be routed through the public interface.

    Other filter exceptions permit the following inbound packet types through the public interface:

    • Secure Sockets Layer (SSL) authentication: TCP port 443.
    • Dynamic TCP: TCP ports 1024 to 65535.
    • Dynamic UDP: UDP ports 1024 to 65535.
    • VPN master or slave (IPX/TCP): TCP port 213.
    • VPN client authentication: TCP port 353.
    • VPN keep-alive: UDP port 353.
    • VPN Simple Key Management for Internet Protocol (SKIP)
      Protocol 57.
    • Web proxy cache (WWW-HTTP): TCP port 80.

      Although the default filter exceptions allow certain VPN-related packets to be forwarded, the default VPN exceptions do not allow encrypted packets to be routed from one VPN member to another. The filters for the VPN tunnels must be updated each time you configure a VPN server. For more information, refer to Completing Advanced Setup, Configuration, and Management Tasks, and VPN Overview and Planning.

  9. Press Ins to define a new outbound packet forwarding filter exception.

    The Define Exception screen is displayed, similar to the following screen:

    Figure 11
    Define Exception Screen

  10. Select Source Interface, Type, then press Enter.

  11. Select Interface or Interface Group, then press Enter.

  12. Select Source Interface, then press Enter.

  13. Select the Novell BorderManager 3.8 server's private interface or interface group, then press Enter.

  14. If you selected a WAN interface, select Source Circuit, then press Enter to define the following circuit information that applies to the interface:

    • Local Frame Relay DLCI # (for frame relay): The data-link connection identifier (DLCI) circuit number used for calls.
    • Remote System ID (for PPP, X.25, or ATM): The name of the remote system server or remote peer associated with this circuit.
    • Circuit Parameter Type (for X.25 or ATM): The type of virtual circuit used to establish a connection.
    • Remote DTE Address (for X.25): The X.121 data terminal equipment (DTE) address assigned to the specific remote DTE.
    • Remote ATM Address (for ATM): The address assigned to the specific remote Asynchronous Transfer Mode (ATM).

  15. Select Destination Interface Type, then press Enter.

  16. Select Interface or Interface Group, then press Enter.

  17. Select Destination Interface, then press Enter.

  18. Select the Novell BorderManager 3.8 server's public interface or interface group, then press Enter.

  19. If you selected a WAN interface, select Destination Circuit, then press Enter to define the following circuit information that applies to the interface:

    • Local Frame Relay DLCI # (for frame relay): The DLCI circuit number used for calls.
    • Remote System ID (for PPP, X.25, or ATM): The name of the remote system server or remote peer associated with this circuit.
    • Circuit Parameter Type (for X.25 or ATM): The type of virtual circuit used to establish a connection.
    • Remote DTE Address (for X.25): The X.121 DTE address assigned to the specific remote DTE.
    • Remote ATM Address (for ATM): The address assigned to the specific remote ATM.

  20. Select Packet Type, then press Enter.

    The Defined TCP/IP Packet Types window is displayed.

    You can select any of the following predefined stateful packet forwarding filters:

    Name Packet Type Transport Type Destination Port Stateful Filtering

    dns/tcp-st

    DNS

    TCP

    53

    Enabled

    dns/udp-st

    DNS

    UDP

    53

    Enabled

    ftp-pasv-st

    FTP

    TCP

    21

    FTP_PASV

    ftp-port-st

    FTP

    TCP

    21

    FTP_PORT

    ftp-port-pasv-st

    FTP

    TCP

    21

    Enabled

    ping-st

    PING

    ICMP

    N/A

    Enabled

    pop3-st

    POP3 Mail

    TCP

    110

    Disabled

    smtp-st

    SMTP

    TCP

    25

    Enabled

    telnet-st

    Telnet

    TCP

    23

    Enabled

    www-http-st

    HTTP

    TCP

    80

    Enabled

    www-https-st

    HTTPS

    TCP

    443

    Enabled

  21. For Src Addr Type, select Any Address, Host, or Network.

    You should select Any Address unless you want the exception to be valid only for a specific host or network on your private network.

  22. If you selected Host or Network, select Src IP Address, then specify the host or network address.

  23. For Dest Addr Type, select Any Address, Host, or Network.

    You should select Any Address unless you want the exception to be valid only for packets addressed to a specific host or network outside the private network.

  24. If you selected Host or Network, select Dest IP Address, then specify the host or network address.

  25. (Optional) For Logging, then press Enter and change the status from Disabled to Enabled.

  26. (Optional) Specify a comment in the Comment field describing the purpose of the filter. Press Esc, then select Yes to save the filter. Press Esc until you are prompted to exit FILTCFG.

IMPORTANT:  If you enabled logging for a filter exception, you must also enable global logging for TCP/IP. Both global logging and logging for the specific filter exception must be enabled for logging to occur.


Setting Up Inbound Packet Filter Exceptions

If you elected to secure the public interface Novell BorderManager 3.8 server and support SOCKS clients, you might be required to enable inbound packet filter exceptions to allow them to connect through the public interface. SOCKS clients connect through TCP port 1080.

To configure packet forwarding exceptions to forward SOCKS traffic, go through the following Novell BorderManager 3.8 server's public interface:

  1. At the server console prompt, enter

    LOAD FILTCFG

  2. Select Configure TCP/IP Filters and Packet Forwarding Filters.

  3. Select Exceptions, then press Enter to display the exceptions list.

  4. Press Ins to define a new inbound packet forwarding filter exception.

  5. Configure the exception for SOCKS clients.

  6. Press Esc until you are prompted to exit FILTCFG.


Defining Custom Stateful Packet Types

The Novell BorderManager 3.8 firewall has many static packet types defined in addition to the stateful packet types listed in Setting Up Outbound Packet Filter Exceptions .

Static packet types are those without -st in their names. A static packet type is used to define a filter operating on traffic in one direction only. For example, instead of creating a stateful packet filter in one direction and relying on the system to enable the time-limited filter in the reverse direction, you can create two static packet filters, one for packets flowing in each direction. However, stateful packet filters provide more security than static packet filters.

If the stateful packet types already defined by the Novell BorderManager 3.8 server do not include a packet type you want to filter, and you are hesitant to use static packet filters, you can create a custom stateful packet type.

To define a custom stateful packet type:

  1. In the Defined TCP/IP Packet Types window, press Insert.

  2. Specify the name of the new packet type in the Name field.

  3. For the Protocol field, press Insert and select IP, ICMP, IGMP, TCP, or UDP.

  4. If you selected TCP or UDP, specify the source and destination port number or range of port numbers.

  5. Do not change the default setting of Disable for ACK Bit Filtering.

    You don't need to enable ACK bit filtering separately, because ACK bit filtering automatically occurs when stateful packet filtering is enabled. The software does not allow you to enable both ACK bit filtering and stateful packet filtering for the same filter.

  6. Enable stateful filtering by selecting one of the following stateful filtering modes:

    • Enabled
    • Enabled for Active FTP only (PORT)
    • Enabled for Passive FTP only (PASV)

    NOTE:  The last two stateful filtering modes apply only to FTP packet types (port 21). If you want stateful filtering for both Active FTP and Passive FTP, select Enabled.

  7. (Optional) Specify a comment to describe the packet type.

    The TCP/IP packet type definition will look similar to the following.

    Figure 12
    Define TCP/IP Packet Type

  8. Press Esc to add the packet to the Defined TCP/IP Packet Types list.

    After the packet type has been added to the list, you can set up a stateful packet filter using this packet type definition.