Contents
About Blocking Unwanted Traffic
The Ribbon Edge 8000 Series device includes ways to block unwanted traffic at the network interface level. This can be accomplished using 6Wind nc-cli commands or the Edge 8000 webUI.
As an aid to understanding the Edge 8000 interfaces, see the following diagram illustrating the interface assignments for a typical Edge 8300 deployment. The Bridge 4 (br4) interface is the public or WAN interface of the device.
The IP addresses shown in the examples may conflict with an existing or planned production network. Consult with your network administrator for the specific IP addresses required for your deployment.
Example of Network Interface Assignments for an Edge 8300
Example of Blocking Common Service Ports on BR4 Interface
The following example illustrates the blocking of a set of services on the BR4 interface using 6Wind configuration commands and the Edge 8000 webUI. The services blocked are:
port 111 (portmapper)
port 22 (ssh)
port 443 (https)
port 161 (snmp)
port 830 (netconf-ssh)
port 80 (http)
Block Service Ports Using 6Wind Configuration Commands
Prerequisites
- Login access as user sysadm to the Edge 8000 CLI.
Start
- Log in to the Edge 8000 CLI as user sysadm.
- Switch to user root.
# sudo -i - Enter the 6WIND cli environment.
# nc-cli - Run the following commands.Example: Direct-Access Blocking
nc-cli vrf main firewall ipv4 filter input rule 50 action drop description Dport22DROP destination port 22 inbound-interface br4 protocol tcp rule 51 action drop description Dport443DROP destination port 443 inbound-interface br4 protocol tcp rule 52 action drop description Dport161DROP destination port 161 inbound-interface br4 protocol udp rule 53 action drop description Dport111DROP destination port 111 inbound-interface br4 protocol tcp rule 54 action drop description Dport830DROP destination port 830 inbound-interface br4 protocol tcp rule 55 action drop description Dport80DROP destination port 80 inbound-interface br4 protocol tcp commit exit copy running startup exit # iptables -nvL Chain INPUT (policy ACCEPT 88 packets, 6751 bytes) pkts bytes target prot opt in out source destination 10 600 DROP tcp -- br4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* yams-rule-id 50 */ /* Dport22DROP */ 0 0 DROP tcp -- br4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* yams-rule-id 51 */ /* Dport443DROP */ 0 0 DROP udp -- br4 * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 /* yams-rule-id 52 */ /* Dport161DROP */ 0 0 DROP tcp -- br4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 /* yams-rule-id 53 */ /* Dport111DROP */ 0 0 DROP tcp -- br4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:830 /* yams-rule-id 54 */ /* Dport830DROP */ 0 0 DROP tcp -- br4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* yams-rule-id 55 */ /* Dport80DROP */
Block Service Ports Using the Edge 8000 webUI
Prerequisites
- Login access as user admin to the Edge 8000 webUI.
Start
- Log in to the Edge 8000 webUI, and click the Settings tab.
- Navigate to Routing > Vrf Firewall.
- Click the "+" in the banner to create a new rule.
- Complete the fields in the Create Ip Tables window.
Example for creating a rule to drop any port 22 tcp messages coming inbound to interface Bridge 4 (br4):
- Click Apply.
- Repeat for each rule.