Contents

About Blocking Unwanted Traffic

The  device includes ways to block unwanted traffic at the network interface level. This can be accomplished using 6Wind nc-cli commands or the  webUI.

As an aid to understanding the interfaces, see the following diagram illustrating the interface assignments for a typical Edge 8300 deployment. The Bridge 4 (br4) interface is the public or WAN interface of the device.

Attention

The IP addresses shown in the examples may conflict with an existing or planned production network. Consult with your network administrator for the specific IP addresses required for your deployment.

Example of Network Interface Assignments for an Edge 8300

 

Example of Blocking Common Service Ports on BR4 Interface

The following example illustrates the blocking of a set of services on the BR4 interface using 6Wind configuration commands and the webUI. The services blocked are:

  • port 111 (portmapper)

  • port   22 (ssh)

  • port 443 (https)

  • port 161 (snmp)

  • port 830 (netconf-ssh)

  • port   80 (http) 

Block Service Ports Using 6Wind Configuration Commands

Prerequisites

  • Login access as user sysadm to the CLI.

Start

  1. Log in to the  CLI as user sysadm.
  2. Switch to user root.
    # sudo -i
  3. Enter the 6WIND cli environment.
    # nc-cli
  4. Run the following commands.
    Example: Direct-Access Blocking
    nc-cli
vrf main firewall ipv4 filter input
rule 50 action drop description Dport22DROP destination port 22 inbound-interface br4 protocol tcp
rule 51 action drop description Dport443DROP destination port 443 inbound-interface br4 protocol tcp
rule 52 action drop description Dport161DROP destination port 161 inbound-interface br4 protocol udp
rule 53 action drop description Dport111DROP destination port 111 inbound-interface br4 protocol tcp
rule 54 action drop description Dport830DROP destination port 830 inbound-interface br4 protocol tcp
rule 55 action drop description Dport80DROP destination port 80 inbound-interface br4 protocol tcp
commit
exit
copy running startup
exit

# iptables -nvL
Chain INPUT (policy ACCEPT 88 packets, 6751 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10   600 DROP       tcp  --  br4    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* yams-rule-id 50 */ /* Dport22DROP */
    0     0 DROP       tcp  --  br4    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* yams-rule-id 51 */ /* Dport443DROP */
    0     0 DROP       udp  --  br4    *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 /* yams-rule-id 52 */ /* Dport161DROP */
    0     0 DROP       tcp  --  br4    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:111 /* yams-rule-id 53 */ /* Dport111DROP */
    0     0 DROP       tcp  --  br4    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:830 /* yams-rule-id 54 */ /* Dport830DROP */
    0     0 DROP       tcp  --  br4    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* yams-rule-id 55 */ /* Dport80DROP */

Block Service Ports Using the Edge 8000 webUI

Prerequisites

  • Login access as user admin to the webUI.

Start

  1. Log in to the  webUI, and click the Settings tab.
  2. Navigate to Routing > Vrf Firewall.
  3. Click the "+" in the banner to create a new rule.
  4. Complete the fields in the Create Ip Tables window.
    Example for creating a rule to drop any port 22 tcp messages coming inbound to interface Bridge 4 (br4):
     
  5. Click Apply.
  6. Repeat for each rule.