beautypg.com

Amer Networks E5Web GUI User Manual

Page 193

background image

Specifying Any Interface or Network

When specifying the filtering criteria in any of the policy rule sets, there are several useful
predefined configuration objects that can be used:

For a source or destination network, the all-nets option is equivalent to the IP address
0.0.0.0/0 which will mean that any IP address is acceptable.

For source or destination interface, the any option can be used so that cOS Core will not care
about the interface which the traffic is going to or coming from.

The destination interface can be specified as core. This means that traffic, such as an ICMP
Ping, is destined for the Clavister Security Gateway itself and cOS Core will respond to it.

New connections that are initiated by cOS Core itself do not need an explicit IP rule as they
are allowed by default. For this reason, the interface core is not used as the source interface.
Such connections include those needed to connect to the external databases needed for
such cOS Core features as IDP and dynamic web content filtering.

The Service can be specified as all_services which includes all possible protocols.

Creating a Drop All Rule

Traffic that does not match any rule in the IP rule set is, by default, dropped by cOS Core. In order
to be able to log the dropped connections, it is recommended that an explicit IP rule with an
action of Drop for all source/destination networks/interfaces is placed as the last IP rule in the IP
rule set. This is often referred to as a Drop All rule.

Tip: Include the rule set name in the drop all name

There may be several IP rule sets in use. It is recommended to include the IP rule set name
in the name of the drop all rule so it can be easily identified in log messages.

For example, the drop all rule for the main rule set should be called main_drop_all or
similar.

The IP Addresses in IP Rules can be IPv4 or IPv6

IP rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's
filtering properties.

However both the source and destination network must be either IPv4 or IPv6. It is not
permissible to combine IPv4 and IPv6 addresses in a single rule. For this reason, two Drop All
rules will be required when using IPv6, one for IPv4 and one for IPv6 as shown below:

Name

Action

Source Iface

Source Net

Dest Iface

Dest Net

Service

DropAll

Drop

any

all-nets

any

all-nets

all_services

DropAll6

Drop

any

all-nets6

any

all-nets6

all_services

For further discussion of this topic, see Section 3.2, “IPv6 Support”.

Traffic Flow Needs an IP Rule and a Route

Chapter 3: Fundamentals

193

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: