Novell BorderManager: A Beginner's Guide to Configuring Filter Exceptions Craig Johnson Novell Support Connection SysOp Second Edition, Beta 1 November 30, 2001
Table of Contents
November 30, 2001
Table of Contents Table of Contents ............................................................................................................................ 2 Table of Figures............................................................................................................................... 6 Acknowledgements .......................................................................................................................... 9 About the Author .......................................................................................................................... 10 Licensing ....................................................................................................................................... 11 Official Disclaimer......................................................................................................................... 12 What This Book is About............................................................................................................... 13 What’s New ................................................................................................................................... 15 Printing This Book ........................................................................................................................ 16 Chapter 1 - The Network Configuration ........................................................................................ 17 Chapter 2 - The Basics................................................................................................................... 19 How Packet Filtering Works......................................................................................................... 19 Stateful Filter Exceptions.......................................................................................................... 20 ACK Bit Filters ....................................................................................................................... 20 Filters and the Relationship to NAT and Routing........................................................................ 21 What Are Port Numbers? ............................................................................................................. 22 How Routing Works .................................................................................................................... 24 Setting up the Default Route......................................................................................................... 26 Public and Private IP Address Networks........................................................................................ 30 Secondary IP Addresses ............................................................................................................... 32 NAT (Routing) versus Proxy ........................................................................................................ 34 Dynamic NAT - for Outbound Traffic ........................................................................................... 35 NAT Implicit Filtering ............................................................................................................. 36 Disabling NAT Implicit Filtering in INETCFG........................................................................... 36 Disabling NAT Implicit Filtering at the Server Console Prompt................................................... 37 Security Implications for Disabling NAT Implicit Filtering ......................................................... 37 Static NAT - for Inbound Traffic................................................................................................... 38 Static NAT and Filtering .............................................................................................................. 39 Setting up Static NAT .................................................................................................................. 40 Static NAT versus Reverse Proxy Acceleration .......................................................................... 43 Viewing & Capturing TCP/IP Traffic ............................................................................................ 44 Static NAT Example Debug Trace............................................................................................. 45 Setting up Default BorderManager Filters with BRDCFG ............................................................... 46 The Default Filtering Action ..................................................................................................... 46 What are the Default Filters?..................................................................................................... 47 FILTCFG Examples – The Default Filters.................................................................................. 50 Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 2
Table of Contents
November 30, 2001
What are the Default Filter Exceptions? ..................................................................................... 52 FILTCFG Examples - The Default Filter Exceptions................................................................... 53 Security Considerations................................................................................................................ 62 Chapter 3 - NetWare Tools Used in Filtering ................................................................................. 64 BRDCFG.NLM........................................................................................................................... 64 CONFIG (Not CONFIG.NLM)..................................................................................................... 64 CONLOG.NLM .......................................................................................................................... 65 FILTCFG.NLM........................................................................................................................... 65 IPFLT.NLM / IPFLT31.NLM....................................................................................................... 66 SET TCP IP DEBUG=1 ............................................................................................................... 66 SET FILTER DEBUG=ON .......................................................................................................... 67 TCPCON.NLM ........................................................................................................................... 67 Chapter 4 - Working with Filters................................................................................................... 68 Backing Up and Restoring Filters and Exceptions .......................................................................... 68 Viewing Filters in Action (TCP IP DEBUG).................................................................................. 68 TCP DEBUG PING & DNS Example........................................................................................ 70 Browsing Example – No Proxy Configured................................................................................ 72 Browsing Example – Proxy Configured, Default Filter Exceptions............................................... 74 Filter Debug - An Alternative to TCP IP DEBUG .......................................................................... 76 Filter Debug Example Output ....................................................................................................... 78 NCF Files To Use With SET FILTER DEBUG=ON ...................................................................... 79 T1.NCF (Turn On Debugging and Capture the Results)............................................................... 79 T0.NCF (Turn Off Debugging and Display the Results) .............................................................. 79 Making a Custom Filter Exception ................................................................................................ 80 Part 1, Starting To Make A Filter Exception............................................................................... 80 Part 2, Defining a New Filter Definition..................................................................................... 87 Part 3, Finishing the Filter Exception......................................................................................... 95 Chapter 5 - Example Outbound Filter Exceptions ......................................................................... 98 AIM (AOL Instant Messenger) / AOL........................................................................................... 99 Cisco VPN Client ...................................................................................................................... 100 Citrix WinFrame / MetaFrame .................................................................................................... 102 Client-to-Site VPN over NAT..................................................................................................... 104 CLNTRUST.............................................................................................................................. 108 DNS from Internal PC’s to an ISP’s DNS Servers ........................................................................ 110 FTP .......................................................................................................................................... 112 GroupWise Remote Client.......................................................................................................... 114 ICQ Version 2000b.................................................................................................................... 115 IMAP ....................................................................................................................................... 117 Microsoft MSN Messenger......................................................................................................... 118 Microsoft Windows Media Player ............................................................................................... 119 NNTP....................................................................................................................................... 121 NTP/SNTP................................................................................................................................ 122 pcANYWHERE ........................................................................................................................ 124 PING (ICMP)............................................................................................................................ 127 POP3........................................................................................................................................ 128 RDATE .................................................................................................................................... 129 RealAudio (RealPlayer G2) ........................................................................................................ 131 RTSP (Real Time Streaming Protocol) ........................................................................................ 133 SMTP....................................................................................................................................... 134 SSL (HTTPS)............................................................................................................................ 135 TELNET................................................................................................................................... 136 Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 3
Table of Contents
November 30, 2001
Terminal Server......................................................................................................................... 137 VNC Viewer ............................................................................................................................. 138 VNC Browser Interface.............................................................................................................. 139 Chapter 6 - Example Inbound Filter Exceptions .......................................................................... 140 DHCP to a PC on the Public Subnet ............................................................................................ 141 DHCP to the BorderManager Server ........................................................................................... 144 Portal Web Manager on Generic TCP Proxy (on Secondary IP Address) ........................................ 146 Reverse HTTP Proxy (on Secondary IP Address) ......................................................................... 148 SSL to Reverse HTTP Proxy (on Secondary IP Address) .............................................................. 151 RCONJ on Generic Proxy (on Secondary IP Address) .................................................................. 153 Chapter 7 - Example Inbound Filter Exceptions Using Static NAT .............................................. 155 Citrix WinFrame ....................................................................................................................... 156 FTP .......................................................................................................................................... 160 GroupWise Remote Client.......................................................................................................... 163 GroupWise Web Access Spell Check .......................................................................................... 165 IMAP ....................................................................................................................................... 167 Lotus Notes Clients.................................................................................................................... 169 Microsoft Terminal Server ......................................................................................................... 171 pcANYWHERE ........................................................................................................................ 173 Locating Internal pcANYWHERE Host with UDP port 5632 .................................................... 174 Data Transfer Between pcANYWHERE Hosts using TCP port 5631.......................................... 176 Alternative - Locating Internal pcANYWHERE Host with UDP port 22..................................... 178 POP3........................................................................................................................................ 180 SMTP....................................................................................................................................... 182 VNC......................................................................................................................................... 186 Web Servers.............................................................................................................................. 188 HTTP to Internal Web Server.................................................................................................. 188 HTTPS /SSL to Internal Web Server ....................................................................................... 190 Chapter 8 - BorderManager 2.1 – Stateful Filters Alternative...................................................... 192 Generic Exception for TCP Return Traffic................................................................................... 194 Generic Exception for UDP Return Traffic .................................................................................. 195 Chapter 9 - Advanced Topics....................................................................................................... 196 Basic Improvement - Enhance the Security of the Default Exceptions ............................................ 196 Customizing the Default Dynamic/TCP Default Filter Exception ............................................... 197 More Security - A DMZ Scenario ............................................................................................... 199 Step 1 – Set Filters on the DMZ NIC ....................................................................................... 201 Step 2 – Open Filter Exceptions for Inbound Traffic from the Internet to the DMZ...................... 202 Step 3 – Open Filter Exceptions for Outbound Traffic from the Internal LAN to the DMZ ........... 203 Most Security - Completely Customized Filter Exceptions ............................................................ 206 Allow Outbound HTTP for the HTTP Proxy Only .................................................................... 207 Allow Outbound HTTPS / SSL for the HTTP Proxy Only ......................................................... 207 Allow Non-Standard Ports Outbound for the Proxy Only .......................................................... 208 Blocking Chat Programs ............................................................................................................ 209 Blocking AOL Instant Messenger (as of 11/18/2001) ................................................................ 210 Blocking MSN Messenger (as of 11/18/2001) .......................................................................... 210 Blocking ICQ (as of 11/18/2001)............................................................................................. 210 Blocking Yahoo Messenger (as of 11/18/2001)......................................................................... 210 Adding Dummy Static Routes ................................................................................................. 211 Chapter 10 - Troubleshooting ...................................................................................................... 213
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 4
Table of Contents
November 30, 2001
Is It A Filtering Problem? ........................................................................................................... 213 Stateful Filter Exceptions Aren't Working.................................................................................... 214 My Filter Exception Looks OK, But My Traffic Is Still Blocked ................................................... 215 My Traffic is Blocked, But TCP IP DEBUG Doesn’t Show Any Discards...................................... 215 NAT Quit Working.................................................................................................................... 216 BAD TCPIP.CFG FILE EXAMPLE........................................................................................ 216 Fixing the Problem................................................................................................................. 219 NAT Works, but Intermittently, and Communications are Inconsistent or Strange........................... 219 All My Traffic Is Blocked, Even Proxies. .................................................................................... 220 The Application Keeps Changing Port Numbers........................................................................... 220 Stateful Filters or TCP/IP Communications Work, But Quit Working or Are Inconsistent ............... 220 My Port Numbers Are Really Weird! .......................................................................................... 221 FTP-PORT-PASV-ST Stateful Filter Doesn't Work in BorderManager 3.5..................................... 222 POP3-ST Stateful Filter Doesn't Work in BorderManager 3.5 ....................................................... 222 All IP Traffic Quits Working After Some Time............................................................................ 222 My Application Works For Me, But Not For My Friend Outside The Firewall................................ 223 I Can't Filter Traffic That Brings Up My Dial-Up Connection! ...................................................... 223 Chapter 11 - Odds & Ends........................................................................................................... 225 Other Useful Port Numbers ........................................................................................................ 225 LDAP ................................................................................................................................... 225 NetWare NCP Over IP ........................................................................................................... 225 NDPS ................................................................................................................................... 225 SNMP................................................................................................................................... 225 SCMD .................................................................................................................................. 226 SLP ...................................................................................................................................... 226 IPP ....................................................................................................................................... 226 Renaming Your Interfaces to Public and Private........................................................................... 226 Fixing the BorderManager 3.5 POP3-ST Definition...................................................................... 228 Novell's FILT01A.EXE File ....................................................................................................... 229 Chapter 12 - Other References .................................................................................................... 230 Index ........................................................................................................................................... 231
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 5
Table of Figures
November 30, 2001
Table of Figures Figure 1-1 - Network Addressing Scenario .................................................................................................. 17 Figure 2-1 - INETCFG, Protocols, TCP/IP ................................................................................................. 26 Figure 2-2 - INETCFG, Protocols, TCP/IP, LAN Static Route,
................................................... 27 Figure 2-3 - INETCFG - Enter Next Hop for Default Route........................................................................ 28 Figure 2-4 - INETCFG - Reinitialize System Option ................................................................................... 29 Figure 2-5 - INETCFG, Bindings, , Expert TCP/IP Bind Options, Network Address Translation ................................................................................................................................................... 35 Figure 2-6 - INETCFG - Option to Disable NAT Implicit Filtering ............................................................ 36 Figure 2-7 - INETCFG, Network Address Translation ................................................................................ 40 Figure 2-8 - INETCFG - Select Static and Dynamic NAT............................................................................ 41 Figure 2-9 - INETCFG - Entering Static NAT Mappings............................................................................. 42 Figure 2-10 - FILTCFG - Deny Packets in Filter List ................................................................................. 46 Figure 2-11 - FILTCFG - Default Filter Blocking all IP Traffic to the Public Interface............................. 50 Figure 2-12 - FILTCFG - Default Filter Blocking all IP Traffic from the Public Interface ........................ 51 Figure 2-13 - FILTCFG - Default Filter Exception Allowing all Outbound IP Traffic from the Public IP Address ......................................................................................................................................................... 53 Figure 2-14 - FILTCFG - Default Filter Exception Allowing Dynamic TCP to the Public IP Address....... 54 Figure 2-15 - FILTCFG - Default Filter Exception Allowing Dynamic UDP to the Public IP Address...... 55 Figure 2-16 - FILTCFG - Default Filter Exception Allowing VPN Master/Slave Traffic to the Public IP Address ......................................................................................................................................................... 56 Figure 2-17 - FILTCFG - Default Filter Exception Allowing VPN Client Authentication to the Public IP Address ......................................................................................................................................................... 57 Figure 2-18 - FILTCFG - Default Filter Exception Allowing VPN Client Keep-Alive Traffic to the Public IP Address .................................................................................................................................................... 58 Figure 2-19 - FILTCFG - Default Filter Exception Allowing SKIP Protocol to the Public IP Address...... 59 Figure 2-20 - FILTCFG - Default Filter Exception Allowing Reverse Proxy HTTP Traffic to the Public IP Address ......................................................................................................................................................... 60 Figure 2-21 - FILTCFG - Default Filter Exception Allowing HTTPS (SSL) Traffic to the Public IP Address ...................................................................................................................................................................... 61 Figure 3-1 - FILTCFG - Configure Interface Options ................................................................................. 66 Figure 4-1 - Netscape Configured Without Proxy settings........................................................................... 72 Figure 4-2 - Netscape Configured to Use HTTP Proxy ............................................................................... 74 Figure 4-3 - SET FILTER DEBUG=ON ...................................................................................................... 77 Figure 4-4 - FILTER DEBUG Capture Example ......................................................................................... 78 Figure 4-5 - FILTCFG - Main Menu............................................................................................................ 80 Figure 4-6 - FILTCFG - Select Packet Forwarding Filters ......................................................................... 81 Figure 4-7 - FILTCFG - Select List of Packets Always Permitted ............................................................... 81 Figure 4-8 - FILTCFG - Filter Exception Menu .......................................................................................... 82 Figure 4-9 - FILTCFG - Select Source Interface ......................................................................................... 83 Figure 4-10 - FILTCFG - Select Destination Interface................................................................................ 84 Figure 4-11 - FILTCFG - Define Exception Packet Type ............................................................................ 85 Figure 4-12 - FILTCFG - Create a New Packet Type.................................................................................. 86 Figure 4-13 - FILTCFG - Enter Packet Type Name .................................................................................... 87 Figure 4-14 - FILTCFG - Enter Packet Type Protocol................................................................................ 88 Figure 4-15 - FILTCFG - Select Protocol.................................................................................................... 89 Figure 4-16 - FILTCFG - Enter Source Port ............................................................................................... 90 Figure 4-17 - FILTCFG - Enter Destination Port........................................................................................ 91 Figure 4-18 - FILTCFG - Specify Stateful Filtering .................................................................................... 92 Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 6
Table of Figures
November 30, 2001
Figure 4-19 - FILTCFG - Comment the New Definition.............................................................................. 93 Figure 4-20 - FILTCFG - Updated Packet Type List................................................................................... 94 Figure 4-21 - FILTCFG - Add Comment for New Exception ....................................................................... 95 Figure 4-22 - FILTCFG - Save New Filter Option ...................................................................................... 96 Figure 4-23 - FILTCFG - New Filter Active in List of Packet Filter Exceptions......................................... 97 Figure 5-1 - Filter Exception for Outbound AOL / AOL Instant Messenger / ICQ...................................... 99 Figure 5-2 - Filter Exception for Cisco VPN Client Connection, Part 1 of 2 ............................................ 100 Figure 5-3 - Filter Exception for Cisco VPN Client Connection, Part 2 of 2 ............................................ 101 Figure 5-4 - Filter Exception for Outbound Citrix ICA Client................................................................... 102 Figure 5-5 - Filter Exception for Outbound Citrix Browser Client............................................................ 103 Figure 5-6 - Filter Exception for Initial BorderManager Client-to-Site VPN Authentication over NAT... 105 Figure 5-7 - Filter Exception for Outbound BorderManager Client-Site VPN over NAT ......................... 106 Figure 5-8 - Filter Exception for BorderManager Client-to-Site VPN KeepAlive Packets over Dynamic NAT............................................................................................................................................................. 107 Figure 5-9 - Filter Exception for Internal CLNTRUST Traffic to Public IP Address ................................ 108 Figure 5-10- Filter Exception for Outbound DNS Queries over UDP with Source Ports Specified.......... 110 Figure 5-11 - Filter Exception for Outbound DNS Queries over TCP....................................................... 111 Figure 5-12 - Filter Exception for Outbound FTP ..................................................................................... 113 Figure 5-13 - Filter Exception for Outbound GroupWise Remote Client .................................................. 114 Figure 5-14 - ICQ 2000b Settings for AOL Port Number .......................................................................... 115 Figure 5-15 - Filter Exception for Outbound ICQ 2000b .......................................................................... 116 Figure 5-16 - Filter Exception for Outbound IMAP................................................................................... 117 Figure 5-17 - Filter Exception for Outbound MSN Messenger .................................................................. 118 Figure 5-18 - Windows Media Player MMS Protocol Settings .................................................................. 119 Figure 5-19 - Filter Exception for Outbound Windows Media Player MMS Protocol .............................. 120 Figure 5-20- Filter Exception for Outbound NNTP ................................................................................... 121 Figure 5-21 - Filter Exception for Outbound NTP..................................................................................... 122 Figure 5-22 - Filter Exception for Outbound pcANYWHERE Location Protocol (Old) ............................ 124 Figure 5-23 - Filter Exception for Outbound pcANYWHERE Location Protocol...................................... 125 Figure 5-24 - Filter Exception for Outbound pcANYWHERE Data........................................................... 126 Figure 5-25 - Filter Exception for Outbound ICMP (PING & TRACERT)................................................ 127 Figure 5-26 - Filter Exception for Outbound POP3 .................................................................................. 128 Figure 5-27 - Filter Exception for Outbound RDATE Time Protocol........................................................ 129 Figure 5-28 - RealPlayer G2 Settings to Bypass PNA & RTSP Proxy....................................................... 131 Figure 5-29 - Filter Exception for Outbound RealAudio (PNA) ................................................................ 132 Figure 5-30 - Filter Exception for Outbound RTSP ................................................................................... 133 Figure 5-31 - Filter Exception for Outbound SMTP .................................................................................. 134 Figure 5-32 - Filter Exception for Outbound SSL / HTTPS ....................................................................... 135 Figure 5-33 - Filter Exception for Outbound TELNET .............................................................................. 136 Figure 5-34 - Filter Exception for Outbound Microsoft Terminal Server.................................................. 137 Figure 5-35 - Filter Exception for Outbound VNC Viewer for 10 Console Sessions ................................. 138 Figure 5-36 - Filter Exception for Outbound VNC through a Web Browser for 10 Console Sessions ...... 139 Figure 6-1 - Filter Exception for Initial DHCP Client Request to Broadcast Address on Public Interface141 Figure 6-2 - Filter Exception for DHCP Client Responses from Public IP Address.................................. 142 Figure 6-3 - Filter Exception for Inbound DHCP Renewal Requests ........................................................ 143 Figure 6-4 - Filter Exception for Public Interface to get DHCP Address.................................................. 145 Figure 6-5 - Filter Exception for Inbound Portal Web Manager to Generic TCP Proxy on Secondary IP Address ....................................................................................................................................................... 146 Figure 6-6 - Filter Exception for Portal Responses from Generic TCP Proxy on Secondary Public IP Address ....................................................................................................................................................... 147 Figure 6-7 - Filter Exception for HTTP to Reverse HTTP Proxy on Secondary Public IP Address.......... 148 Figure 6-8 - Filter Exception for Reverse HTTP Proxy Responses from Reverse HTTP Proxy on Secondary Public IP Address ....................................................................................................................................... 149 Figure 6-9 - Filter Exception for Inbound HTTPS/SSL to Reverse HTTP Proxy on Secondary Public IP Address ....................................................................................................................................................... 151 Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 7
Table of Figures
November 30, 2001
Figure 6-10 - Filter Exception for Outbound HTTPS / SSL Responses from Reverse HTTP Proxy on Secondary Public IP Address ..................................................................................................................... 152 Figure 6-11 - Filter Exception for Inbound RCONJ to Generic TCP Proxy on Secondary Public IP Address .................................................................................................................................................................... 153 Figure 6-12 - Filter Exception for Outbound Responses from RCONJ on Generic TCP Proxy ................ 154 Figure 7-1 - Filter Exception for Inbound Citrix ICA Client ..................................................................... 156 Figure 7-2 - Filter Exception for Outbound Citrix ICA Client Responses ................................................. 157 Figure 7-3 - Filter Exception for Inbound Citrix Browser-based Client.................................................... 158 Figure 7-4 - Filter Exception for Outbound Citrix Browser-based Client Responses................................ 159 Figure 7-5 - Filter Exception for Inbound FTP Control and Data Ports................................................... 160 Figure 7-6 - Filter Exception for Outbound FTP Control Port Responses ................................................ 161 Figure 7-7 - Filter Exception to Allow Outbound FTP Data Port Responses............................................ 162 Figure 7-8 - Filter Exception for Inbound GroupWise Remote Client ....................................................... 163 Figure 7-9 - Filter Exception for Outbound GroupWise Remote Client Responses................................... 164 Figure 7-10 - Filter Exception for Inbound Collexion Spell Check Requests ............................................ 165 Figure 7-11 - Filter Exception for Outbound Collexion Spell Check Responses ....................................... 166 Figure 7-12 - Filter Exception for Inbound IMAP ..................................................................................... 167 Figure 7-13 - Filter Exception for Outbound IMAP Responses ................................................................. 168 Figure 7-14 - Filter Exception for Inbound Lotus Notes Client ................................................................. 169 Figure 7-15 - Filter Exception for Outbound Lotus Notes Client Responses ............................................. 170 Figure 7-16 - Filter Exception for Inbound Microsoft Terminal Server .................................................... 171 Figure 7-17 - Filter Exception for Outbound Terminal Server Responses................................................. 172 Figure 7-18 - Filter Exception for Inbound pcANYWHERE Location Protocol ........................................ 174 Figure 7-19 - Filter Exception for Outbound pcANYWHERE Location Responses ................................... 175 Figure 7-20 - Filter Exception for Inbound pcANYWHERE Data ............................................................. 176 Figure 7-21 - Filter Exception for Outbound pcANYWHERE Data Responses ......................................... 177 Figure 7-22 - Filter Exception for Inbound Older pcANYWHERE Location Protocol .............................. 178 Figure 7-23 - Filter Exception for Outbound Older pcANYWHERE Location Protocol Responses.......... 179 Figure 7-24 - Filter Exception for Inbound POP3 Requests to Internal Mail Server ................................ 180 Figure 7-25 - Filter Exception for Outbound POP3 Responses from Internal Mail Server....................... 181 Figure 7-26 - Filter Exception for Inbound SMTP..................................................................................... 182 Figure 7-27 - Filter Exception for Outbound SMTP Responses................................................................. 183 Figure 7-28 - Filter Exception for Outbound SMTP .................................................................................. 184 Figure 7-29 - Filter Exception for Inbound SMTP Responses ................................................................... 185 Figure 7-30 - Filter Exception for Inbound VNC Console Connections 1-10............................................ 186 Figure 7-31 - Filter Exception for Outbound VNC Responses................................................................... 187 Figure 7-32 - Filter Exceptions for Inbound HTTP to Web Server ............................................................ 188 Figure 7-33 - Filter Exception for Outbound HTTP Responses................................................................. 189 Figure 7-34 - Filter Exception for Inbound HTTPS / SSL.......................................................................... 190 Figure 7-35 - Filter Exception for Outbound HTTPS Responses............................................................... 191 Figure 8-1 - Generic TCP Filter Exception to Allow All Return Traffic .................................................... 194 Figure 8-2 - Generic UDP Filter Exception to Allow All Return Traffic ................................................... 195 Figure 9-1 - DMZ with Three Network Cards, IP Addressing Diagram.................................................... 200 Figure 9-2 - Filters Applied for PUBLIC and DMZ Interfaces.................................................................. 201 Figure 9-3 - Filter Exception to Allow Inbound HTTP to DMZ Web Server from the Internet.................. 202 Figure 9-4 - Filter Exception to Allow Outbound HTTP Responses from DMZ Web Server to the Internet .................................................................................................................................................................... 203 Figure 9-5 - Filter Exception to Allow HTTP to DMZ Web Server from Internal LAN ............................. 204 Figure 9-6 - Filter Exception to Allow FTP to DMZ Web Server from Internal LAN................................ 205 Figure 9-7 - Dummy Static Route to Redirect MSN Messenger ................................................................. 212
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 8
Acknowledgements
November 30, 2001
Acknowledgements 6JGCWVJQTYQWNFNKMGVQCEMPQYNGFIGVJGHQNNQYKPIRGQRNGYJQJCXG EQPVTKDWVGFUKIPKHKECPVN[VQVJGETGCVKQPQHVJKUDQQM %CVGTKPC .WRRK YJQ VKTGNGUUN[ RTQQHTGCF OCP[ TGXKUKQPU QH VJKU DQQMCPFEQPVTKDWVGFOCP[UWIIGUVKQPU /CTEWU 9KNNKCOUQP CPF VJG QVJGT 0QXGNN 5WRRQTV %QPPGEVKQP 5[UQRU YJQ JCXG EQPVTKDWVGF UWIIGUVKQPU CPF ECWIJV GTTQTU KP XCTKQWUTGXKUKQPU 5JCPG 4QIGTU 5VGXGP /GKGT /CTM 5OKVJ .CPEG *CKI 5VGXGP %QWVVU CPF GURGEKCNN[ /KMG 5KZUOKVJ YJQ JGNRGF RTQQHTGCF XCTKQWUFTCHVUQHVJGDQQMCPFICXGHGGFDCEMCPFUWIIGUVKQPU (TCPM$GT\CW0QXGNN5WRRQTV'PIKPGGTYJQEQPVTKDWVGFXCNWCDNG VGEJPKECNCFXKEGCPFEQTTGEVKQPUVQVJKUDQQM &CPKVC
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 9
About the Author
November 30, 2001
About the Author %TCKI ,QJPUQP JCU DGGP YQTMKPI YKVJ EQORWVGTU UKPEG JG YTQVG JKU HKTUVRTQITCOKPEQNNGIGCV2WTFWG7PKXGTUKV[KP%WTTGPVN[%TCKI QYPU JKU QYP EQPUWNVKPI DWUKPGUU DCUGF KP 2JQGPKZ #TK\QPC CPF YQTMKPI QP RTQLGEVU CTQWPF VJG EQPVKPGPV CPF DG[QPF /CP[ QH %TCKIŏUENKGPVUDGECOGHCOKNKCTYKVJJKOVJTQWIJJKUHQTWOYQTMQT DQQMU %TCKI JCU DGGP C 0QXGNN 5WRRQTV %QPPGEVKQP 5[UQR HQT QXGT HQWT [GCTUCPFJGURGEKCNK\GUKP PCVWTCNN[VJG$QTFGT/CPCIGTHQTWOUCV HQTWOUPQXGNNEQO 0062 %TCKI JCU DGGP YQTMKPI YKVJ $QTFGT/CPCIGT UKPEG DGHQTG VJG QHHKEKCN TGNGCUG QH $QTFGT/CPCIGT XGTUKQP6JTQWIJVJG0QXGNN5WRRQTV%QPPGEVKQPHQTWOU%TCKI JCU RTQXKFGF CFXKEG QP CP GUVKOCVGF $QTFGT/CPCIGT KPUVCNNCVKQPU %TCKIJCUCNUQRTGUGPVGFUGUUKQPUQP$QTFGT/CPCIGTRCEMGVHKNVGTKPI CPF $QTFGT/CPCIGT VTQWDNGUJQQVKPI CV 0QXGNNŏU $TCKP5JCTG UGOKPCT KP5CNV.CMG%KV[ 9JGP PQV URGPFKPI JQWTU RGT FC[ CV C EQORWVGT %TCKI NKMGU VQ YQTMQWVKP6CGMYQPFQYJGTGJGJQNFUVJGTCPMQH$NCEM$GNVVJKTF FGITGGCPFKUCEGTVKHKGFKPUVTWEVQT /QUVFC[U%TCKIECPDGTGCEJGFXKCVJG0QXGNN5WRRQTV%QPPGEVKQP 2WDNKE (QTWOU KP VJG $QTFGT/CPCIGT UGEVKQPU *KU YGD UKVG KU JVVRPUEU[UQRJ[RGTOCTVPGV %TCKI KU CXCKNCDNG HQT JKTG CPF FQGU VJGOCLQTKV[QHJKU$QTFGT/CPCIGTEQPUWNVKPIYQTMQXGTVJG+PVGTPGV YKVJENKGPVUCNNQXGTVJGYQTNF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 10
Licensing
November 30, 2001
Licensing 6JKUDQQMKUFKUVTKDWVGFKP#FQDG#ETQDCV2&(HQTOCV9J[! $GECWUGRWDNKUJKPIKVKPRTKPVGFCPFDQWPFHQTOCVYQWNFVCMGUQNQPI VJCVKVYQWNFDGQDUQNGVGDGHQTGKVJKVVJGOCTMGVQTKVYQWNFPGXGTDG RWDNKUJGFCVCNNFWGVQVJGUOCNNUK\GQHVJGVCTIGVOCTMGV6JKUFQGU PQVOGCPVJCVLWUVDGECWUG[QWECPOCMGEQRKGUQHVJGDQQMVJCV[QW CTGCNNQYGFVQ6JKUDQQMKUUQNFYKVJVJGWPFGTUVCPFKPIVJCVGCEJ RWTEJCUGTOC[OCMG10'RTKPVGFEQR[QHVJGDQQMCPFMGGRU691 GNGEVTQPKEEQRKGU KP2&(HQTOCV;QWOC[PQVGNGEVTQPKECNN[QT QVJGTYKUGTGRTQFWEG EQR[QTOCMGOWNVKRNGEQRKGUQHVJKUDQQM ;QWCNUQOC[PQVRWVCEQR[QHVJKUDQQMQPCPGVYQTMUGTXGTYJGTG OWNVKRNGRGQRNGECPTGHGTGPEGKVYKVJQWVRWTEJCUKPIKVWPNGUU[QWDW[ QPGEQR[QHVJKUDQQMHQTGCEJ$QTFGT/CPCIGTUGTXGT[QWJCXG TWPPKPI 6JKUDQQMKUDGKPIUQNFQPNKPGCVhttp://www.caledonia.net/ 8QNWOG RWTEJCUG CITGGOGPVU CTG CXCKNCDNG %QPVCEV VJG CWVJQT CV [email protected]HQTFGVCKNU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 11
Official Disclaimer
November 30, 2001
Official Disclaimer 6JGCWVJQTCPFRWDNKUJGTJCXGOCFGVJGKTDGUVGHHQTVUVQRTGRCTGVJKU DQQM 6JG CWVJQT CPF VJG RWDNKUJGT OCMG PQ TGRTGUGPVCVKQP QT YCTTCPVKGUQHCP[MKPFYKVJTGICTFVQVJGEQORNGVGPGUUQTCEEWTCE[QH VJGEQPVGPVUJGTGKPCPFCEEGRVPQNKCDKNKV[QHCP[MKPFKPENWFKPIDWV PQVNKOKVGFVQRGTHQTOCPEGOGTEJCPVCDKNKV[HKVPGUUHQTCP[RCTVKEWNCT RWTRQUGQTCP[NQUUGUQTFCOCIGUQTCP[MKPFECWUGFQTCNNGIGFVQDG ECWUGFFKTGEVN[QTKPFKTGEVN[HTQOVJKUDQQM
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 12
What This Book is About
November 30, 2001
What This Book is About 6JG RWTRQUG QH VJKU DQQM KU VQ JGNR TGCFGTU EQPHKIWTG RCEMGV HKNVGT GZEGRVKQPUKP0QXGNN$QTFGT/CPCIGTCPFZ+YTQVGVJKUDQQM CHVGT URGPFKPI QXGT VJTGG [GCTU CPUYGTKPI SWGUVKQPU QP 0QXGNN U $QTFGT/CPCIGT RTQFWEVU KP VJG 0QXGNN 5WRRQTV %QPPGEVKQP HQTWOU CPF UGVVKPI WR PWOGTQWU $QTFGT/CPCIGT UGTXGTU O[UGNH #HVGT CPUYGTKPIOCP[QHVJGUCOGV[RGUQHSWGUVKQPUFC[CHVGTFC[+EQWNF UGGCENGCTPGGFHQTCDQQMVJCVGZRNCKPUJQYRCEMGVHKNVGTUYQTMCPF JQYVQUGVWRHKNVGTGZEGRVKQPU +CNUQICKPGFUQOGKPUKIJVKPVQVJGNGXGNQHGZRGTKGPEGQHVJGV[RKECN $QTFGT/CPCIGT CFOKPKUVTCVQT YJQ HTGSWGPVU VJG 0QXGNN 5WRRQTV %QPPGEVKQP RWDNKE HQTWOU /QUV JCXG UQOG MPQYNGFIG QH 6%2+2 TQWVKPIRTQZKGUCPFHKNVGTUDWVFQPQVJCXGVJGDTGCFVJCPFFGRVJQH MPQYNGFIGVQHGGNEQOHQTVCDNGKPFGCNKPIYKVJRCEMGVHKNVGTKPI'XGP VJQUGRWDNKEHQTWOUWUGTUYJQYGTGEQOHQTVCDNGYKVJRCEMGVHKNVGTKPI HTGSWGPVN[ PGGF C NKVVNG JGNR KP WPFGTUVCPFKPI JQY CNN VJG RCTVU HKV VQIGVJGT QT UKORN[ YCPV C SWKEM GZRNCPCVKQP HQT C RCTVKEWNCT HKNVGT GZEGRVKQP6JKUDQQMKUYTKVVGPVQVJGNGXGNQHWPFGTUVCPFKPIQHVJCV CXGTCIG HQTWOWUGT&GURKVGVJGVKVNGVJKUDQQMKUPQVNKOKVGFVQLWUV VJG DGIKPPGT CPF KV YKNN RTQXG C WUGHWN TGHGTGPEG VQ GXGP SWKVG CFXCPEGFWUGTU+QHVGPEQPUWNVKVYJGPCPUYGTKPISWGUVKQPUQPNKPG 1PG QH VJG HTGSWGPV EQORNCKPVU VJCV OQUV RWDNKE HQTWO WUGTU JCXG CDQWVFQEWOGPVCVKQPQP0QXGNNRTQFWEVUKUVJCVVJGTGCTGPQVGPQWIJ GZCORNGU + JCXG VTKGF VQ CFFTGUU VJCV EQPEGTP KP VJKU DQQM D[ RTQXKFKPI OCP[ GZCORNGU #U KU VTWG YKVJ OQUV RGQRNG + HKPF KV GCUKGTVQWPFGTUVCPFVJGVJGQT[DGJKPFCEQORNGZPGVYQTMKPIHWPEVKQP YJGP+ECPUGGCPGZCORNG6JGTGHQTG+RTQXKFGGZRNCPCVKQPUQHJQY RCEMGV HKNVGTU QRGTCVG CPF GZCORNGU QH YQTMKPI RCEMGV HKNVGT GZEGRVKQPU 4GCFGTU ECP VCMG VJG GZCORNGU RTQXKFGF KP OQUV ECUGU UKORN[UWDUVKVWVGVJGKTKPVGTHCEGPCOGUQT+2CFFTGUUGUCPFJCXGVJGKT QYPEWUVQOHKNVGTGZEGRVKQPUYQTMKPIKPCXGT[UJQTVCOQWPVQHVKOG +P RCTVKEWNCT + FKUEWUU CPF RTQXKFG GZCORNGU QH RCEMGV HKNVGT GZEGRVKQPUHQT •
1WVDQWPFVTCHHKEHQT#1.+PUVCPV/GUUGPIGT #+/%KUEQ820 %NKGPV %NKGPVVQ5KVG 0QXGNN 820 %NKGPV %KVTKZ &05 (62 )TQWR9KUG 4GOQVG %NKGPV +%3 +/#2 /KETQUQHV /50 /GUUGPIGT /KETQUQHV 9KPFQYU /GFKC 2NC[GT 0062 0625062RE#0;9*'4'2+0)2124'4GCN#WFKQ 46525/6255.6'.0'66GTOKPCN5GTXGTCPF80%
•
+PDQWPF VTCHHKE VQ TGXGTUG RTQZ[ CEEGNGTCVKQP QH KPVGTPCN YGD UGTXGTUQPUGEQPFCT[+2CFFTGUUGUIGPGTKE6%2RTQZ[HQT2QTVCN 9GD /CPCIGT CPF 4%10, CPF &*%2 HQT 2%ŏU QP VJG RWDNKE
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 13
What This Book is About
November 30, 2001
UWDPGV CPF HQT VJG $QTFGT/CPCIGT UGTXGT CEVKPI CU C &*%2 ENKGPV •
+PDQWPF VTCHHKE VJTQWIJ UVCVKE 0#6 EQPHKIWTCVKQPU HQT %KVTKZ 9KP(TCOG (62 )TQWR9KUG 4GOQVG %NKGPV )TQWR9KUG 9GD #EEGUU 5RGNN %JGEM +/#2 .QVWU 0QVGU %NKGPV /KETQUQHV 6GTOKPCN5GTXGTRE#0;9*'4'2125/6280%CPF9GD 5GTXGTU
/QUV QH VJG FKUEWUUKQP CPF GZCORNGU HQEWU QP VJG HKNVGTKPI ECRCDKNKVKGU RTQXKFGF YKVJ $QTFGT/CPCIGT Z UWEJ CU UVCVGHWN HKNVGTKPI DWV OGPVKQP KU CNUQ OCFG QH VJG NKOKVCVKQPU QH $QTFGT/CPCIGTCPFJQYVQYQTMCTQWPFVJGO # IQQF UQWTEG QH KPHQTOCVKQP QP $QTFGT/CPCIGT KP IGPGTCN KU VJG YGDDCUGF 0QXGNN 5WRRQTV %QPPGEVKQP 2WDNKE (QTWOU CV http://support.novell.com/ QT UWRRQTVHQTWOUPQXGNNEQO 0062 + JKIJN[TGEQOOGPFWUKPICP0062TGCFGTVQEJGEMQWVVJGHQTWOU +JCXGYTKVVGPCDQQMQPEQPHKIWTKPI$QTFGT/CPCIGTZVJCVEQXGTU $QTFGT/CPCIGTEQORTGJGPUKXGN[;QWECPDW[VJCVDQQMCVVJGUCOG RNCEG CU VJKU QPG Ō http://www.caledonia.net/ 6JCV DQQM QPN[ VQWEJGU QP RCEMGV HKNVGTKPI DWV EQXGTU RTQZKGU ICVGYC[U CEEGUU TWNGURCVEJGUNQIIKPICPFWUCIG $QTFGT/CPCIGT FQEWOGPVCVKQP HTQO 0QXGNN KU CNUQ CXCKNCDNG CV 0QXGNNŏUYGDUKVGCVVJGHQNNQYKPI74. http://www.novell.com/documentation
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 14
What’s New
November 30, 2001
What’s New 5KPEGVJG(KTUV'FKVKQPECOGQWVKP+JCXGDGGPNQQMKPIHQTYCTF VQ TGXKUKPI KV UQOGFC[ YKVJ CFFKVKQPCN GZCORNGU CPF OQTG KPHQTOCVKQP QP UGEWTKPI [QWT UGTXGTU 6JG DKIIGUV FKHHGTGPEGU DGVYGGPVJG5GEQPF'FKVKQPCPFVJG(KTUV'FKVKQPCTG •
'XGT[ UETGGPUJQV JCU DGGP TGFQPG KU KP IGPGTCN NCTIGT KP EQNQT CPF UJQWNF RTKPV OQTG ENGCTN[ QP C YKFGT TCPIG QH RTKPVGTU
•
/CP[OQTGHKNVGTGZEGRVKQPGZCORNGUCPFCNOQUVGXGT[HKNVGT GZEGRVKQP GZCORNG WUGU C EWUVQO FGHKPKVKQP KPUVGCF QH VJG DWKNVKP FGHKPKVKQPU 6JKU YCU FQPG VQ URGEKH[ UQWTEG RQTVU CPFQT#%-DKVHKNVGTKPIHQTDGVVGTUGEWTKV[
•
#%- $KV HKNVGTKPI FKUEWUUGF CPF WUGF KP CNOQUV CNN PQP UVCVGHWNGZCORNGU
•
#FXCPEGFUGEVKQPCFFGFFKUEWUUKPI&/<UEGPCTKQUEQORNGVG EWUVQOK\CVKQP QH VJG HKNVGT GZEGRVKQPU CPF DNQEMKPI EJCV RTQITCOU
•
'PJCPEGOGPVU VQ VJG HQTOCVVKPI QH VJG DQQM VQ KORTQXG TGCFCDKNKV[ KPENWFKPI EJCRVGT JGCFGTU FKHHGTGPV URCEKPI CPF HQTOCVVKPI QH VJG VCDNG QHEQPVGPVU NKUVKPIVJG RCTCOGVGTU QH HKNVGT GZCORNGU KP DWNNGVGF NKUVU CPF ETQUUTGHGTGPEGU VQ HKIWTGUJGCFKPIUCPFRCIGPWODGTU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 15
Printing This Book
November 30, 2001
Printing This Book 6JKUDQQMKUUQNFKP2&(HQTOCV9JKNGKVUJQWNFFKURNC[DGCWVKHWNN[ QP [QWT OQPKVQT [QW OC[ HKPF VJCV [QW JCXG RTQDNGOU IGVVKPI VJG ITCRJKEU VQ RTKPV YGNN 6JG U[ORVQO KU XGT[ őDNQEM[Œ NQQMKPI ITCRJKEU+H[QWJCXGRTQDNGOURTKPVKPIVJGITCRJKEUDGUWTGVQRTKPV CUHQNNQYU 7UG CV NGCUV #ETQDCV 4GCFGT #ETQDCV 4GCFGT FQGU PQV JCXGVJGQRVKQPUJQYPDGNQY1TWUG#ETQDCV4GCFGTYJKEJ FQGUPŏVUGGOVQJCXGCRTQDNGORTKPVKPIVJKUDQQM 9JGP [QW RTKPV [QW OKIJV YCPV VQ UGNGEV VJG QRVKQP Ŏ2TKPV #U +OCIGŏKPVJGRTKPVFKCNQICUUJQYPDGNQY6JKUQRVKQPOCFGC JWIG FKHHGTGPEG HQT OG YJGP RTKPVKPI VQ C FRK *2 .CUGT,GV 2%.RTKPVGT
+HVJGCDQXGUGVVKPIUFQPQVJGNRUGGVJGVTQWDNGUJQQVKPIIWKFGCV VJGHQNNQYKPI74. http://www.adobe.com/support/techdocs/150d6.htm
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 16
Chapter 1 - The Network Configuration
November 30, 2001
Chapter 1 - The Network Configuration 6JKU DQQM YQTMU WPFGT VJG HQNNQYKPI CUUWORVKQPU CPF OQUV QH VJG GZCORNGURTQXKFGFCTGDCUGFQPVJKUPGVYQTMEQPHKIWTCVKQPYJKEJKU UJQYPKP(KIWTG B O R D E R M AN AG E R E X AM P L E S C E N AR IO IP AD D R E S S IN G
192.168.10.244
Internet (your ISP) S o ftw are V irtu al W eb S e rv ers, F TP S e rv er, VCN (S tatic NA T to 4.3.2.252)
Public interface=PUBLIC, Private interface=P RIV ATE Default route=4.3.2.1 All networks use Class C subnet m ask 255.255.255.0
192.168.10.240
Router
External LAN (public)
4.3.2.1 (255.255.255.0)
C ITR IX S erve r (S tatic NA T to 4.3.2.251)
4.3.2.254 4.3.2.253 4.3.2.252 4.3.2.251 4.3.2.250 4.3.2.249
192.168.10.252 (255.255.255.0)
F ire w all, (R ev erse P ro x y S erv er) Novell BorderM anager 3.x server
Internal network (private)
W AN link to ISP
192.168.10.250
G ro u p W ise, IM AP , P O P 3, S M TP M ail, W e b Acc es s (S tatic NA T to 4.3.2.253)
192.168.10.241
4.3.2.2
L o tu s N o te s, Te rm in a l S erver, p cAN YW H E R E h o s t (S tatic NA T to 4.3.2.250)
PC's
PC's
PC's Te st P C Use to check S tatic NA T access, chat software, pcA NYW HE RE, and Reverse Proxy
192.168.10.251
Internal hosts have a default route of 192.168.10.252 F TP , W E B S E R V E R P o rta l (Reverse proxied on 4.3.2.249)
Figure 1-1 - Network Addressing Scenario
#FGFKECVGF+PVGTPGVEQPPGEVKQPKURTQXKFGFVJTQWIJC9#0NKPMVQC TQWVGT YKVJ C UOCNN RWDNKE +2 UGIOGPV 1P VJCV RWDNKE +2 UGIOGPV VJGTG KU C .#0 EQPPGEVKQP VQ VJG TQWVGT C .#0 EQPPGEVKQP VQ C $QTFGT/CPCIGT UGTXGT CPF RQVGPVKCNN[ C .#0 EQPPGEVKQP VQ C 2% YJKEJECPDGWUGFHQTVGUVKPIEQPPGEVKQPU QWVUKFGŏVJGKPVGTPCN.#0 # $QTFGT/CPCIGT UGTXGT KU UGV WR YKVJ VYQ PGVYQTM KPVGTHCEGU QPG EQPPGEVGF VQ VJG GZVGTPCN .#0 +PVGTPGVRWDNKE UKFG CPF QPG EQPPGEVGF VQ VJG KPVGTPCN .#0 RTKXCVG UKFG /WNVKRNG RWDNKEN[ Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 17
Chapter 1 - The Network Configuration
November 30, 2001
TGIKUVGTGF+2CFFTGUUGUCTGCUUWOGFVQDGCXCKNCDNGQPVJGGZVGTPCN+2 UGIOGPVOGCPKPICVNGCUVCUWDPGVOCUMKUKPWUGQP VJGGZVGTPCN+2UGIOGPVVQCNNQYWRVQUKZWUGCDNG+2CFFTGUUGUQPVJCV UGIOGPV
With a .248 subnet mask, one of the six available publicly-registered IP addresses will be assigned to the router LAN port, one could be reserved for a test PC, and the remaining four are then available to assign to the BorderManager public interface. More IP addresses can be assigned to the BorderManager server if you have, for instance, a full Class-C public address range available to you.
6JGKPVGTPCN RTKXCVGUKFG.#0EQPUKUVUQHCRTKXCVGCFFTGUUTCPIGKP VJKUDQQM &[PCOKECPF5VCVKE0#6KUGPCDNGFQPVJGRTKOCT[RWDNKE+2CFFTGUU QHVJG$QTFGT/CPCIGTUGTXGT +PVJGUEGPCTKQUJQYPKPCNNVJGKPVGTPCNJQUVUJCXGCFGHCWNVICVGYC[ UGVVQ6JG$QTFGT/CPCIGTUGTXGTJCUCFGHCWNVTQWVG UGV VQ VJG .#0 RQTV QH C TQWVGT CV CU FQGU VJG VGUV 2% 6JG $QTFGT/CPCIGTRWDNKEUKFGPGVYQTMKPVGTHCEGKUPCOGF27$.+%CPF VJGRTKXCVGUKFGPGVYQTMKPVGTHCEGKUPCOGF24+8#6' #V NGCUV QPG UGEQPFCT[ +2 CFFTGUU KU CUUKIPGF HQT WUG HQT TGXGTUG RTQZ[ CEEGNGTCVKQP QH CP KPVGTPCN YGD UGTXGT 5GXGTCN UGEQPFCT[ +2 CFFTGUUGU JCXG DGGP CUUKIPGF HQT UVCVKE 0#6 VQ CP KPVGTPCN OCKN UGTXGT CP (62 UGTXGT C YGD UGTXGT C RE#0;9*'4' JQUV CPF UGXGTCNQVJGTUGTXKEGU6JG$QTFGT/CPCIGTFGHCWNVHKNVGTUCTGCRRNKGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 18
Chapter 2 - The Basics
November 30, 2001
Chapter 2 - The Basics $GHQTG[QWUVCTVVT[KPIVQUGVWRHKNVGTGZEGRVKQPU[QWPGGFVQMPQY DCUKEKPHQTOCVKQPNKMG •
*QYRCEMGVHKNVGTKPIYQTMU
•
*QYRQTVPWODGTUCTGWUGF
•
*QYTQWVKPIYQTMU
•
*QYVQCFFCFFKVKQPCN+2CFFTGUUGUVQQPGPGVYQTMKPVGTHCEGECTF
•
*QYVQXKGYYJCVKUJCRRGPKPIVQ+2RCEMGVUCVC0GV9CTGUGTXGT
6JKUUGEVKQPEQXGTUOWEJQHYJCV[QWPGGF
How Packet Filtering Works 2CEMGV HKNVGTKPI YQTMU D[ GZCOKPKPI HKGNFU KP 6%2+2 FCVC RCEMGVU CPF CNNQYKPI VJGO VQ DG TQWVGF QT PQV FGRGPFKPI QP VJG XCNWG QH EGTVCKP HKGNFU 6JKU DQQM RTKOCTKN[ KU EQPEGTPGF YKVJ HKNVGTKPI CU KV RGTVCKPU VQ VJG UQWTEG CPF FGUVKPCVKQP RQTV PWODGTU CPF UQOGYJCV YKVJUQWTEGCPFFGUVKPCVKQP+2#FFTGUUHKGNFU )GPGTCNN[ #.. VTCHHKE KU HKNVGTGF CV UQOG RQKPV CPF EGTVCKP GZEGRVKQPU CTG CNNQYGF VJTQWIJ +P VJG ECUG QH 0QXGNNŏU $QTFGT/CPCIGTVJGFGHCWNVHKNVGTUUVQRCNNKPDQWPF+2VTCHHKEHTQOVJG RWDNKEKPVGTHCEGCPFQWVDQWPF+2VTCHHKEIQKPIVQVJGRWDNKEKPVGTHCEG +PCFFKVKQPVJGFGHCWNVHKNVGTUKPENWFGEGTVCKPHKNVGTGZEGRVKQPUVJCVCTG PGGFGFHQT*6622TQZ[CPF820VQHWPEVKQP 0QVGThe default filters also include IPX filters, but this book is entirely concerned with IP filters and does not make any other mention of IPX filtering.
6JG HKNVGTU CPF HKNVGT GZEGRVKQPU FQ PQV LWUV UVQR FCVC HTQO IGVVKPI ŎVJTQWIJŏDWVCNUQCEVWCNN[UVQRVTCHHKEHTQOGKVJGTGPVGTKPIQTNGCXKPI C EGTVCKP +2 CFFTGUU QT C EGTVCKP PGVYQTM KPVGTHCEG 6JKU KU CP KORQTVCPVRQKPVDGECWUG[QWOC[TWPKPVQUKVWCVKQPUYJGTGVTCHHKEKU CNNQYGFVQCPKPVGTPCN RTKXCVGUKFGKPVGTHCEGQP[QWT$QTFGT/CPCIGT UGTXGTDWVKUFTQRRGFYJGPKVVTKGUVQNGCXGCPGZVGTPCN RWDNKEUKFG +2 CFFTGUU 6JWU VJG FKTGEVKQP VJCV VTCHHKE KU HNQYKPI KU CNUQ EQPUKFGTGFKPRCEMGVHKNVGTKPI
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 19
Chapter 2 - The Basics
November 30, 2001
Stateful Filter Exceptions 5VCVGHWNHKNVGTGZEGRVKQPUCWVQOCVKECNN[MGGRVTCEMQHCŎEQPXGTUCVKQPŏ DGVYGGP VJG QTKIKPCVKPIJQUVCPFVJG TGEGKXKPI JQUV# UVCVGHWN HKNVGT GZEGRVKQPPQVQPN[CNNQYUCEGTVCKPRQTVPWODGTKPQPGFKTGEVKQPDWV CNUQ CNNQYU VJG PGEGUUCT[ TGVWTP VTCHHKE DCEM HTQO VJG QVJGT GPF
YKVJQWV JCXKPI VQ UGV WR C UGEQPF HKNVGT GZEGRVKQP HQT VJG TGVWTP VTCHHKE # UVCVGHWN HKNVGT GZEGRVKQP KU DGUV CRRNKGF VQ UQWTEG CPF FGUVKPCVKQP KPVGTHCEGU # UVCVGHWN HKNVGT GZEGRVKQP CWVQOCVKECNN[ KPENWFGU#%-DKVHKNVGTKPIHQT6%2RCEMGVU $QTFGT/CPCIGT XGTUKQPU CPF NCVGT RTQXKFG VJG QRVKQP QH UVCVGHWN HKNVGTKPICPFEQOGYKVJUGXGTCNRTGFGHKPGFUVCVGHWNHKNVGTFGHKPKVKQPU +P HCEV HQT UQOG VKOG PQY VJG HKNVGTKPI OQFWNGU WUGF KP $QTFGT/CPCIGT JCXG DGGP KPENWFGF KP VJG NCVGUV 0GV9CTG 5WRRQTV 2CEMUUQVJGUCOGHKNVGTKPIECPDGFQPGGXGPYKVJQWV$QTFGT/CPCIGT KPUVCNNGF 5VCVGHWNHKNVGTGZEGRVKQPU CTG XGT[EQPXGPKGPV CUVJG[ CTG GCU[VQ UGV WR CPF CTG OQTG UGEWTG VJCP PQPUVCVGHWN HKNVGTU *QYGXGT VJG[ CTG
VJGQTGVKECNN[ C DKV UNQYGT CU VJGTG KU OQTG %27 CPF OGOQT[ QXGTJGCFKPXQNXGF+PVJKUDQQMOQUVQHVJGQWVDQWPFHKNVGTGZCORNGU UJQYP WUG UVCVGHWN HKNVGTU DWV VJG KPDQWPF GZEGRVKQPU VQ RTQZ[ QT UVCVKE0#6JQUVUFQPQVWUGUVCVGHWNHKNVGTUKPCPCVVGORVVQOCZKOK\G RGTHQTOCPEG CPF DGECWUG QH C RQVGPVKCN UGEWTKV[ RTQDNGO PQV FKUEWUUGFKPVJKUDQQM5VCVGHWNHKNVGTUECPDGCRRNKGFVQ6%27&2 CPF+%/2VTCHHKE
ACK Bit Filters #%-DKVHKNVGTUEJGEMHQTVJGRTGUGPEGQHVJG#%-DKV CEMPQYNGFIG DKVKPC6%2RCEMGV 7&2RCEMGVUFQPŏVJCXGCP#%-DKV9JGPC 6%2ŎEQPXGTUCVKQPŏ UGUUKQPKUKPKVKCVGFVJGHKTUV6%2RCEMGVFQGUPŏV JCXG VJG #%- DKV UGV *QYGXGT VJG TGVWTP VTCHHKE CPF UWDUGSWGPV RCEMGVU DGVYGGP UQWTEG CPF FGUVKPCVKQPHQT VJCV UGUUKQP FQ JCXG VJG #%- DKVUGV 5KPEG[QW IGPGTCNN[ ECPPQV KPKVKCVGC 6%2 UGUUKQP VQ C JQUV YKVJ VJG #%- DKV CNTGCF[ UGV HKNVGTKPI KPEQOKPI VTCHHKE HQT VJG RTGUGPEG QH CP #%- DKV PQV UGV HKNVGT VJG RCEMGV KU DGVVGT HQT UGEWTKV[VJCPPQVEJGEMKPIVJG#%-DKV6JGKFGCJGTGKUVQPQVCNNQY VJGRCEMGVUKPWPNGUUVJG#%-DKVKUCNTGCF[UGV 0QXGNNRTQXKFGUVJGCDKNKV[VQWUG#%-DKVHKNVGTKPIKP$QTFGT/CPCIGT CPFNCVGT6JKUDQQMCNUQCRRNKGU#%-DKVHKNVGTKPIKPCNNQHVJG QWVDQWPF TGURQPUG HKNVGT GZEGRVKQPU HQT UVCVKE 0#6 KP QTFGT VQ KPETGCUGUGEWTKV[CPFEQPVTQNQHVJGUGTXGT +H VJG FGHCWNV &[PCOKE6%2 HKNVGT GZEGRVKQP KU EJCPIGF VQ ECNN QWV #%-DKVHKNVGTKPI UGGő$CUKE+ORTQXGOGPV'PJCPEGVJG5GEWTKV[QH VJG&GHCWNV'ZEGRVKQPUŒRCIGVJGPKPDQWPFJKIJRQTVVTCHHKEKU CNNQYGF DWV QPN[ KH KV KU C TGURQPUG VQ CP GCTNKGT QWVDQWPF TGSWGUV VJCVUGVVJG#%-DKV Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 20
Chapter 2 - The Basics
November 30, 2001
7&2 FQGU PQV WUG #%- DKVU VJGTGHQTG [QW ECPPQV UGV #%- DKV HKNVGTKPI QP VJG FGHCWNV &[PCOKE7&2 HKNVGT GZEGRVKQP *QYGXGT VJGTG CTG PQV OCP[ CRRNKECVKQPU VJCV NKUVGP QP 7&2 JKIJ RQTVU QP C 0GV9CTGUGTXGTUQVJGTGKUPQVXGT[OWEJGZRQUWTGVQRTQDNGOUYKVJ VJGFGHCWNV&[PCOKE7&2GZEGRVKQP
Filters and the Relationship to NAT and Routing (KNVGTU ECP VCMG RNCEG DGHQTG QT CHVGT C RCEMGV KU TQWVGF VQ VJG PGZV JQR +V KU OQTG WUGHWN VQ VJKPM QH HKNVGTU CPF HKNVGT GZEGRVKQPU CU CRRN[KPIYJGPCRCEMGVGKVJGTCTTKXGUCVQTNGCXGUCPKPVGTHCEGQTCP +2CFFTGUU+PVJGXCUVOCLQTKV[QHECUGUHKNVGTUCTGCRRNKGFQPQPG
QT OQTG KPVGTHCEGU UQ HKNVGTKPI VCMGU RNCEG YJGP C RCEMGV VTKGU VQ GPVGTQTNGCXGCPKPVGTHCEG*QYGXGTHKNVGTGZEGRVKQPUCTGUGVWRVQ CRRN[YJGPRCEMGVUGPVGTQTNGCXGCPKPVGTHCEGQTVQQTHTQOEGTVCKP+2 CFFTGUUGU +VKUOQTGEQPHWUKPIHQTOQUVRGQRNGVQUGGJQYHKNVGTKPIKUTGNCVGFVQ 0#66JGKORQTVCPVEQPEGRVJGTGKUVJCV0#6KVUGNHVCMGURNCEGŎCV VJGGFIGŏ6JCVKU0#6KUGKVJGTVJGHKTUVQTVJGNCUVRTQEGUUVQVCMG RNCEGFGRGPFKPIQPVJGFKTGEVKQPQHVJGRCEMGVCPFYJGTG0#6JCU DGGPCRRNKGF 6JGPQTOCNECUGHQT0#6KUVJCVKVKUCRRNKGFQPVJGRWDNKE+2DKPFKPI 6JGTGHQTG 0#6 KU CRRNKGF QP VJG ŎQWVUKFG GFIGŏ QH VJG PGVYQTM 2CEMGVUEQOKPI+0VQVJGPGVYQTMHTQOVJG+PVGTPGV(+456WPFGTIQ 0#6VJGPRCEMGVHKNVGTKPICPFVJGPCTGTQWVGF2CEMGVUIQKPI176 QH VJG PGVYQTM CTG HKNVGTGF CPF 6*'0 WPFGTIQ C 0#6 VTCPUNCVKQP 6JKUKUYJ[VJGUVCVKE0#6HKNVGTGZEGRVKQPUUJQYPKPVJKUDQQMECNN QWVKPVGTPCN+2CFFTGUUGUTCVJGTVJCPUGEQPFCT[RWDNKE+2CFFTGUUGU+H 0#6KUCRRNKGFVQVJGRTKXCVG+2CFFTGUU CUKUUQOGVKOGUFQPGYKVJ %NKGPV5KVG 820 KPDQWPF RCEMGVU CTG HKNVGTGF DGHQTG WPFGTIQKPI 0#6CPFQWVDQWPFRCEMGVUWPFGTIQ0#6DGHQTGHKNVGTKPI 1PGNCUVRQKPV0#6FGHCWNVUVQRGTHQTOKPIKVUQYPV[RGQHHKNVGTKPI ECNNGF 0#6 +ORNKEKV (KNVGTKPI D[ UKORN[ FTQRRKPI RCEMGVU PQV WPFGTIQKPIC0#6VTCPUNCVKQP6JKUKUPQTOCNN[UGGPYJGPF[PCOKE 0#6 KU EQPHKIWTGF QP VJG RWDNKE KPVGTHCEG CPF KPDQWPF VTCHHKE VQ C TGXGTUG RTQZ[ KU FTQRRGF 7PNGUU VJGTG CTG PQ TGXGTUG RTQZKGU QT UVCVKE0#6OCRRKPIUEQPHKIWTGFQPVJGUGTXGT[QWYCPVVQFKUCDNG 0#6+ORNKEKVHKNVGTKPI +0'6%()2TQVQEQNU6%2+2KH[QWJCXGVJG UGTXGT RCVEJGF RTQRGTN[ $GHQTG VJG 0#6 +ORNKEKV (KNVGTKPI OGPW GPVT[YCUCFFGFVQ+0'6%()KPC0GV9CTGUWRRQTVRCEM[QWEQWNF QPN[ WUG VJG 5'6 0#6 &;0#/+% /1&' 61 2#55 6*4710 EQOOCPF 0#6 +ORNKEKV (KNVGTKPI FTQRU RCEMGVU YKVJQWV UJQYKPI CP[ TGCUQP KP 6%2 +2 &'$7) VTCEGU WPNKMG HKNVGTU YJKEJ UJQY &+5%#4&
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 21
Chapter 2 - The Basics
November 30, 2001
What Are Port Numbers? 2QTV PWODGTU ECP DG VJQWIJV QH CU FGUETKDKPI VJG V[RG QH FCVC EQPVCKPGF YKVJKP C RCEMGV 5VTKEVN[ URGCMKPI RQTV PWODGTU LWUV TGRTGUGPVVJGGPFRQKPVQHCEQPPGEVKQPCPFPQVVJGV[RGQHFCVCDWVKV KU WUGHWN KP VJKU DQQM VQ EQPUKFGT EGTVCKP RQTV PWODGTU CU OGCPKPI EGTVCKPV[RGUQHFCVC$QVJVJGUGPFKPICPFTGEGKXKPIRTQITCO OWUV CITGG QP YJCV RQTV PWODGTU CTG DGKPI WUGF HQT VJG RTQITCO VQ HWPEVKQP 6[RKECNN[ C ŎYGNNMPQYPŏ RQTV PWODGT KU WUGF HQT VJG FGUVKPCVKQPRQTVYJGPVT[KPIVQKPKVKCVGCEQPXGTUCVKQPQXGT+2/QUV YGNNMPQYPRTQITCOUWUGRQTVPWODGTUDGNQY 0QVGA search of the Internet for 'well-known port numbers' should turn up a number of sites that list many well-known port numbers. See the Other References chapter for some web sites to check.
(QT GZCORNG C 6'.0'6 UGUUKQP YQWNF V[RKECNN[ UGPF QWV VJG HKTUV RCEMGV YKVJ C FGUVKPCVKQP RQTV QH 6JG TGEGKXKPI RTQITCO YQWNF GHHGEVKXGN[DGNQQMKPIHQTRQTVKPUKFGKPEQOKPIFCVCRCEMGVUCPF YJGP QPG YCU HQWPF YKVJ VJCV RQTV VJG FCVC YQWNF DG RTQEGUUGF HWTVJGT 0QVGStrictly speaking, the application registers a listener port with the stack. The stack itself then monitors incoming packets on the port and puts it into a queue (where there is one queue per listener). The application monitors this queue, picks up any packets found in there, and processes them. This is the technical explanation (from a Novell engineer), but I find it easier to just think of an application listening for certain port numbers!
1P VJG QVJGT JCPF VJG UQWTEG RQTV KU V[RKECNN[ CUUKIPGF CV TCPFQO HTQOCTCPIGQHVQ4GVWTPVTCHHKEVQVJGQTKIKPCVKPIJQUV YQWNF UGPF DCEM FCVC RCEMGVU WUKPI VJG QTKIKPCN UQWTEG RQTV CU C FGUVKPCVKQPRQTV%QPUKFGTVJGHQNNQYKPIGZCORNG #5KORNG/CKN6TCPUHGT2TQVQEQN 5/62RCEMGVKUUGPVHTQO VQWUKPIUQWTEGRQTV EJQUGPCVTCPFQOHTQOC TCPIGQHPWODGTUDGVYGGPCPFCPFFGUVKPCVKQPRQTV 6JGQTKIKPCVKPI5/62RTQITCOGZRGEVUVQTGEGKXGTGVWTPVTCHHKEQPC FGUVKPCVKQP RQTV QH QT KV YKNN PQV TGEQIPK\G VJG VTCHHKE CU C TGURQPUGVQVJKURCEMGV 6JG 5/62 OCKN UGTXGT CV TGEGKXGU VJG RCEMGV TGEQIPK\GU VJCV KV KU CP 5/62 OCKN RCEMGV DGECWUG VJG FGUVKPCVKQP RQTVPWODGTKUCPFRTQEGUUGUKV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 22
Chapter 2 - The Basics
November 30, 2001
6JG 5/62 OCKN UGTXGT CV VJGP UGPFU QWV C TGVWTP RCEMGV WUKPI VJG QTKIKPCN UQWTEGCPF FGUVKPCVKQP RQTVU GZEGRV VJCV KV UYKVEJGUVJGVYQ#PGYRCEMGVIQGUDCEMVQWUKPIUQWTEGRQTV CPFFGUVKPCVKQPRQTV6JGJQUVCVTGEGKXGUVJGRCEMGV HTQOCPFKVTGEQIPK\GUVJGUQWTEGRQTVCUDGKPI RCTV QH C EQPXGTUCVKQP KV YCU VT[KPI VQ JCXG YKVJ VJG JQUV CV CPFKVRTQEGUUGUVJGFCVCCEEQTFKPIN[
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 23
Chapter 2 - The Basics
November 30, 2001
How Routing Works # FKUEWUUKQP QH TQWVKPI RTQVQEQNU KU YGNN DG[QPF VJG UEQRG QH VJKU DQQM DWV UQOG FKUEWUUKQP OWUV DG OCFG UKPEG RCEMGV HKNVGT KUUWGU QHVGPVWTPQWVVQDGTQWVKPIKUUWGUKPUVGCF)GPGTCNN[[QWPGGFVQDG UWTGVJCVCTQWVKPIRTQVQEQNUWEJCU+24+2KUGPCDNGFQP[QWTKPVGTPCN TQWVGTU QT [QW JCXG GPVGTGF UVCVKE TQWVGU HQT CNN [QWT KPVGTPCN PGVYQTMU 6JGTGCTGVYQDCUKERQKPVUVQDGOCFGJGTG +PQTFGTVQOQXGCRCEMGVKPUKFG[QWT.#0CNNVJGTQWVGTU KPENWFKPI $QTFGT/CPCIGT OWUV MPQY CNN VJG KPVGTKQT UWDPGVU CPF YJCV KPVGTHCEG+2CFFTGUUKUWUGFVQHQTYCTFCP[RCEMGVUFGUVKPGFHQTVJCV UWDPGV;QWOC[VJKPMVJCVFCVCKUPQVIGVVKPIŎVJTQWIJŏVJGHKTGYCNN DGECWUG[QWCTGPQVUGGKPICTGURQPUGDWVVJGRTQDNGOOC[UKORN[ DGVJCVVJG$QTFGT/CPCIGTUGTXGTFKFPQVMPQYJQYVQIGVVJGRCEMGV DCEMVQ[QWTJQUV #NNTQWVGTUCPFJQUVUQPDQVJKPVGTPCNCPFGZVGTPCN+2UGIOGPVUOWUV JCXGCFGHCWNVTQWVGUGVWR1PEG[QWVT[VQEQOOWPKECVGYKVJJQUVU QPVJG+PVGTPGVKVKUPQVRQUUKDNGVQDWKNFCTQWVKPIVCDNGKPYJKEJVJG NQECVKQPQHGXGT[UWDPGVKUKPENWFGF+PUVGCFCFGHCWNVTQWVG FGHCWNV ICVGYC[ KU WUGF VQ HQTYCTF CP[ RCEMGV YKVJ CP WPMPQYP PGVYQTM CFFTGUU 6JG FGHCWNV TQWVGICVGYC[ KU CNYC[U CP +2 CFFTGUU QP VJG UCOGPGVYQTMCUVJGJQUVCPFRQKPVUVQVJGPGZVJQRVQDGWUGFVQIGV CP WPMPQYP RCEMGV QWV VQ VJG +PVGTPGV 6[RKECNN[ QP C $QTFGT/CPCIGT UGTXGT VJG FGHCWNV TQWVG KU UGV VQ VJG GZVGTPCN +2 UGIOGPV CFFTGUU VJKU YQWNF DG C .#0 RQTV PQV C 9#0 RQTV QH C TQWVGT EQPPGEVGF VQ VJG +PVGTPGV 0GV9CTG UGTXGT FGHCWNV TQWVGU CTG EQPHKIWTGF KP +0'6%()0./ CPF UVQTGF KP VJG 5;5'6%>)#6'9#;5 HKNG 6JG[ ECP DG XGTKHKGF WUKPI 6%2%100./ 6JG HKTUV VJKPI VQ VT[ YJGP [QW JCXG C EQOOWPKECVKQPU KUUWG KU VQ FKUCDNGRCEMGVHKNVGTKPI 6JKUKUQHEQWTUGCPQDXKQWUUGEWTKV[JQNG DWV KV KU VJG GCUKGUV YC[ VQ EQPHKTO VJCV HKNVGTKPI KU CP KUUWG +H VJG VTCHHKEUVKNNFQGUPŏVHNQY[QWCTGNKMGN[VQDGJCXKPICTQWVKPIKUUWG CPF GZRGTKGPEG UC[U VJCV OQUV TQWVKPI KUUWGU KPXQNXG KPEQTTGEV QT OKUUKPIFGHCWNVTQWVGU *GTGKUCPCPCNQI[QHYJCVCFGHCWNVTQWVGKU5C[[QWNKXGKPCJQWUG YKVJUGXGTCNQVJGTRGQRNGCPF[QWYCPVVQUGPFQPGQHVJGOCNKVVNG NGVVGT;QWYTKVGVJGNGVVGTCPFCTGTGCF[VQFGNKXGTKV5KPEG[QWNKXG KPVJGJQWUG[QWPQVQPN[MPQYVJGCFFTGUUQHGXGT[QPGKPVJGJQWUG
OCUVGTDGFTQQOMKF UDGFTQQOGVEDWV[QWMPQYJQYVQHKPFVJG TQQO 6JGTGHQTG [QW IQ VQ VJG TQQO CPF UNKFG VJG NGVVGT WPFGT VJG FQQT 0QY NGV U UC[ [QW YCPV VQ OCKN C NGVVGT VQ UQOGQPG GNUG CPF VJCVRGTUQPNKXGUKPCPQVJGTEKV[;QWJCXGVJGCFFTGUUDWV[QWJCXG Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 24
Chapter 2 - The Basics
November 30, 2001
PQENWGJQYVQFGNKXGTVJGNGVVGT[QWTUGNH*QYGXGT[QW&1JCXGC FGHCWNV TQWVG VJG OCKNDQZ 6JGTGHQTG [QW FTQR VJG NGVVGT KP VJG OCKNDQZCPFVTWUVVJGRQUVOCPVQFGNKXGTVJGNGVVGT6JGRQUVOCPQH EQWTUG FQGUP V JCXG CP[ KFGC JQY VQ FGNKXGT VJCV NGVVGT GKVJGT DWV JGUJG &1'5 JCXG CPQVJGT FGHCWNV TQWVG VJG NGVVGTUQTVKPI DKP HQT NGVVGTU IQKPIQWV QHVQYP#NQPI XCTKQWU UVGRU QH VJG YC[ VJG NGVVGT MGGRUIGVVKPIFGNKXGTGFPQVFKTGEVN[VQVJGGPFFGUVKPCVKQPDWVKPUVGCF VQVJGPGZV JQR CNQPIVJGYC[VQVJGFGUVKPCVKQP(KPCNN[CRQUVOCP QPVJGHKPCNUVGRQHVJGNGVVGT ULQWTPG[IGVUVJGOCKNCPFUKPEGJGUJG CEVWCNN[ MPQYU YJGTG VJGJQWUGKUVJGNGVVGT ECP DGRWV KPVQC HKPCN FGUVKPCVKQP OCKNDQZ'XGPVJGPUQOGQPGCVVJGJQWUGOC[RKEMWR VJGNGVVGTCPFHQTYCTFKVQPVQVJGKPVGPFGFTGEKRKGPV 0QYUWRRQUGVJCVVJGTGCFGTQHVJGNGVVGTYCPVUVQUGPFCTGRN[#NNQH VJGUCOGUVGRUJCXGVQQEEWTKPVJGTGXGTUGFKTGEVKQPQTVJGTGRN[FQGU PQVIGVVJTQWIJ 6JGTGKUGXGPCOGCUWTGQHHKNVGTKPIKPXQNXGFJGTGKHVJGNGVVGTFQGU PQVJCXGGPQWIJRQUVCIGKVFQGUPQVIGVVJTQWIJ 9JCVKUVJGRQKPVQHCNNQHVJKU!+H#0;UVGRKPVJGRTQEGUU+0$16* &+4'%6+105FQGUPQVJCXGCFGHCWNVTQWVGVJGOCKN [QWT6%2+2 RCEMGVUYKNNPQVIGVVJTQWIJWPNGUUVJGGPFCFFTGUUKUCNQECNCFFTGUU
KPUKFG[QWTJQWUGKPUKFG[QWT.#04GOGODGTVJCVVJGHKTUVUVGR CRCEMGVVCMGUVQYCTFCJQUVQWVUKFG[QWT.#0KUVJGPGZVTQWVGTQP [QWT .#0 CPF [QWT QYP 2% PGGFU C FGHCWNV TQWVG VQ KV KP QTFGT VQ UVCTVVJGRCEMGVQPKVUYC[
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 25
Chapter 2 - The Basics
November 30, 2001
Setting up the Default Route ;QWT $QTFGT/CPCIGT UGTXGT YKNN PGGF C FGHCWNV TQWVG EQPHKIWTGF KP QTFGTVQHWPEVKQP6JKUKUOQUVGCUKN[FQPGCVVJGUGTXGTEQPUQNGWUKPI +0'6%()0./CUUJQYPKP(KIWTG
Figure 2-1 - INETCFG, Protocols, TCP/IP
6Q UGV WR C FGHCWNV TQWVG V[RG .1#& +0'6%() CV VJG UGTXGT EQPUQNGRTQORVUGNGEV2TQVQEQNU6%2+2GPCDNGUVCVKETQWVKPICPF UGNGEV.#05VCVKE4QWVKPI6CDNG 0QVGThe screenshot shown in Figure 2-1 was taken from a NetWare 5.1 server that has the proper configuration files for Dead Gateway Detection. Your server may or may not have that option, which is related to the version of TCPIP.NLM that is installed. Dead Gateway Detection is a method of determining if one default route is active and switching to another one if it is not.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 26
Chapter 2 - The Basics
November 30, 2001
Figure 2-2 - INETCFG, Protocols, TCP/IP, LAN Static Route,
1PEG[QWUGNGEV .#05VCVKE4QWVKPI6CDNGRTGUU+PUGTVCPFVJGP UGNGEV&GHCWNV4QWVG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 27
Chapter 2 - The Basics
November 30, 2001
Figure 2-3 - INETCFG - Enter Next Hop for Default Route
'PVGTVJGPGZVJQRHQTVJGFGHCWNVTQWVGHQT[QWTUGTXGT6JKU UJQWNF DG VJG NQECN .#0 CFFTGUU QH VJG TQWVGT EQPPGEVKPI [QWT $QTFGT/CPCIGT UGTXGT VQ VJG +PVGTPGV QT VJG TQWVGT VJCV KU VJG PGZV JQRVQYCTFUVJG+PVGTPGV4GHGTVQ(KIWTG 9JGP FQPG GPVGTKPI FCVC CEEGRV VJG EJCPIGU CPF IQ DCEM VQ VJG OCKPOGPW
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 28
Chapter 2 - The Basics
November 30, 2001
Figure 2-4 - INETCFG - Reinitialize System Option
5GNGEV4GKPKVKCNK\G5[UVGOVQRWVVJGEJCPIGUKPVQGHHGEV 1TV[RGKP TGKPKVKCNK\G U[UVGO CV VJG EQPUQNG RTQORV 'ZKV +0'6%() YJGP FQPG 0QVGThe default route entry should appear in the SYS:ETC\GATEWAYS file, and look something like this:
Net
0
Gateway 4.3.2.1 Metric 1 Passive
;QWECPCNUQGFKVVJKUHKNGOCPWCNN[KH[QWYKUJDWVTGOGODGTVQV[RG TGKPKVKCNK\GU[UVGOYJGPFQPGGFKVKPI 6JG0GV UQOGVKOGUUJQYPCUKPFKECVGU FGHCWNVTQWVG D[ EQPXGPVKQP)CVGYC[KUCMG[YQTFKPFKECVKPIVJCVCNNRCEMGVUIQKPI VQ PGVYQTM YJKEJ OGCPU CNN RCEMGVU IQKPI VQ UQOG CFFTGUU PQV QVJGTYKUGRTGUGPVKPVJGTQWVKPIVCDNGUQPVJGUGTXGTYKNNDG UGPVVQ VJG +2 CFFTGUU HQNNQYKPI /GVTKE OGCPU VJCV VJG EQUV QH VJKU TQWVG KU YJKEJ KU CU NQY CU 0QXGNN CNNQYU CPF VCMGU RTGEGFGPEG QXGT JKIJGT EQUV TQWVGU 2CUUKXG GHHGEVKXGN[ OGCPUVJCV VJGTQWVGKUEQPUKFGTGFVQCNYC[UDGCXCKNCDNG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 29
Chapter 2 - The Basics
November 30, 2001
Public and Private IP Address Networks +PQTFGTVQTQWVG+2VTCHHKEVQVJGRTQRGTJQUVQPVJG+PVGTPGVGCEJJQUV OWUV DG EQPHKIWTGF YKVJ C INQDCNN[ WPKSWG +2 CFFTGUU VJCV KU TGIKUVGTGF YKVJ +PVGTPKE 5WEJ CP +2 CFFTGUU KU ECNNGF C RWDNKE +2 CFFTGUU#EQORCP[YKNNPQTOCNN[RWTEJCUGCP+2CFFTGUUTCPIGHTQO CP+PVGTPGV5GTXKEG2TQXKFGT +52CPFRC[C[GCTN[OCKPVGPCPEGHGG DCUGF RCTVN[ QP VJG PWODGT QH +2 CFFTGUUGU VJG[ CTG TGUGTXKPI 6JG +52 YKNN VCMG ECTG QH GPUWTKPI VJCV CNN KPEQOKPI +PVGTPGV VTCHHKE VQ C JQUV YKVJKP VJCV +2 CFFTGUU TCPIG MPQYU JQY VQ IGV VJGTG +V KU GUUGPVKCN VQ JCXG CV NGCUV QPG RTQRGTN[ TGIKUVGTGF RWDNKE +2 CFFTGUU EQPHKIWTGFQPVJGRWDNKEKPVGTHCEGQH[QWT$QTFGT/CPCIGTUGTXGTHQT KV VQ EQOOWPKECVG VQ VJG +PVGTPGV WPNGUU WUKPI 0GVYQTM #FFTGUU 6TCPUNCVKQPQPCPŎWRUVTGCOŏTQWVGT 2CTVN[ DGECWUG QH VJG EQUVKPXQNXGFCPF RCTVN[ DGECWUG VJG YQTNFKU TWPPKPIQWVQHRWDNKEN[CXCKNCDNG+2CFFTGUUTCPIGUPQVGXGT[QPGJCU RWDNKE +2 CFFTGUUGU CUUKIPGF KPUKFG VJGKT RTKXCVG .#0ŏU +P UQOG ECUGU PQV TGEQOOGPFGF CP CFFTGUU TCPIG TGIKUVGTGF VQ C FKHHGTGPV EQORCP[ KU KP WUG QP C RTKXCVG .#0 6Q CXQKF VJG UKVWCVKQP YJGTG TGIKUVGTGF CFFTGUUGU CTG DGKPI WUGF QP FKHHGTGPV PGVYQTMU VJTGG FKHHGTGPV+2CFFTGUUPGVYQTMUJCXGDGGPUGVCUKFGHQTCP[QPGVQWUG 6JGUG URGEKCN +2 PGVYQTMU CTG ECNNGF RTKXCVG +2 CFFTGUUGU +PVGTPGV TQWVGTU CTG RTQITCOOGF VQ FTQR RCEMGVU YKVJ C RTKXCVG +2 FGUVKPCVKQP CFFTGUU 6JG VJTGG RTKXCVG CFFTGUU TCPIGU UGV CUKFG HQT WUGCTG •
ZZZ CHWNNENCUU#TCPIG
•
ZZVQZZ %NCUU$TCPIGU
•
ZZ %NCUU%TCPIGU
;QW ECP WUG VJGUG +2 PGVYQTMU CU [QW YKUJ YKVJKP [QWT KPVGTPCN PGVYQTM CPF UWDPGV VJGO CU PGGFGF DWV VJG[ /756 DG WUGF YKVJ GKVJGT F[PCOKE 0#6 0GVYQTM #FFTGUU 6TCPUNCVKQP QT RTQZ[ UGTXKEGUQTDQVJ/QUVRGQRNGHKPFVJGZZPGVYQTMVQDGVJG GCUKGUVVQYQTMYKVJCUKVKUGCUKGTVQWPFGTUVCPF%NCUU%UWDPGVVKPI VJCP QVJGT ENCUUGU 6JG WUG QH VJGUG +2 PGVYQTMU KU FKUEWUUGF KP VJG HQNNQYKPIFQEWOGPV RFC 1918 - Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear. February 1996. (Format: TXT=22270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005) (Status: BEST CURRENT PRACTICE)
0QVGUse this URL for a link to RFC 1918: ftp://ftp.isi.edu/in-notes/rfc1918.txt
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 30
Chapter 2 - The Basics
November 30, 2001
5KPEG VJGUG TCPIGU ECPPQV ŎVCNMŏ VQ VJG +PVGTPGV RCEMGVU HTQO VJGUG CFFTGUUGUYKNNDGFTQRRGFCVUQOGRQKPVQPCP+PVGTPGVTQWVGTUQOG URGEKCN VGEJPKSWGU OWUV DG WUGF VQ NGV KPVGTPCN JQUVU WUKPI VJGUG CFFTGUUGUEQOOWPKECVGVQVJG+PVGTPGV6JGVYQVGEJPKSWGUKPWUGCTG 0#6 0GVYQTM #FFTGUU 6TCPUNCVKQP CPF 2TQZ[ $QTFGT/CPCIGT RTQXKFGUDQVJ ECRCDKNKVKGU$QVJ VGEJPKSWGU GHHGEVKXGN[ UWDUVKVWVGVJG RWDNKE+2CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGTHQTVJGCEVWCN RTKXCVG UQWTEGCFFTGUUQHVJGJQUVQTKIKPCVKPIVJGVTCHHKE 6JGTG KU PQV C RTQDNGO WUKPI 0#6 CPF RTQZ[ UGTXKEGU CV VJG UCOG VKOG ;QW ECP GCUKN[ JCXG UQOG V[RGU QH VTCHHKE WUKPI C RTQZ[ CPF QVJGTV[RGUQHVTCHHKEWUKPI0#6(QTVJGUGEWTKV[EQPUEKQWUEQPUKFGT VJCVWUKPICRTQZ[KUEQPUKFGTGFVQDGOQTGUGEWTGVJCPWUKPI0#6KH [QWJCXGVJGQRVKQPQHWUKPIGKVJGT
Remember – if you use the private IP addresses, you will not get a response back from the Internet to your PC unless you are using a Proxy, a Gateway service or have dynamic NAT enabled! This has nothing to do with filtering! The routers on the Internet will drop packets with private addresses.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 31
Chapter 2 - The Basics
November 30, 2001
Secondary IP Addresses 1PEG [QW YKUJ VQ RTQXKFG C UGTXKEG VQ WUGTU QP VJG +PVGTPGV NKMG C RWDNKEYGDUGTXGT[QWYKNNQHVGPHKPFVJCV[QWPGGFVQCUUKIPOQTG VJCPQPG+2CFFTGUUVQVJGRWDNKEPGVYQTMKPVGTHCEGECTFKPCHKTGYCNN KP VJKU ECUG $QTFGT/CPCIGT ;QW YKNN WUWCNN[ PGGF C FGFKECVGF +2 CFFTGUU HQT GCEJ UGTXKEG UWEJ CU C YGD UGTXGT QT C OCKN UGTXGT VJCV [QW YCPV VQ JQUV 6JG EJCTCEVGTKUVKE KPXQNXGF KU YJGVJGT QT PQV [QW PGGFVQCNNQYKPEQOKPIVTCHHKEŌVTCHHKEIQKPIHTQOVJGKPVGTPCN.#0 VQ VJG QWVUKFG +PVGTPGV KU WUWCNN[ UGPV QWV C UKPING +2 CFFTGUU CPF FQGUPŏV TGSWKTG CP[ CFFKVKQPCN CFFTGUUGU QP VJG $QTFGT/CPCIGT UGTXGT 9KVJ 0GV9CTG KV KU RQUUKDNG VQ CUUKIP OCP[ CV NGCUV +2 CFFTGUUGUVQGCEJPGVYQTMKPVGTHCEGKPCUGTXGTVJQWIJKVKUPŏVUQGCU[ VQUGGOQTGVJCPQPGCUUKIPGFCFFTGUU 0QVGYou can assign addresses in different networks to a single network card, and NetWare will route between them as if they were assigned to two different network cards. Assigning addresses from different networks is done in INETCFG by simply binding a new address to an interface. An example would be to assign 192.168.10.254 and 172.16.31.254 to an interface. This book does not cover such an assignment, as it is not normally needed in a BorderManager configuration. This is NOT the same as a secondary IP address.
#V[RKECNYC[VQCUUKIPOWNVKRNGCFFTGUUGUVQCPGVYQTMKPVGTHCEGKUVQ CFF+2CFFTGUUGUHTQOYKVJKPVJGUCOG+2PGVYQTMVQCPKPVGTHCEG#P GZCORNGYQWNFDGVQCUUKIPCPFVQCP KPVGTHCEG VJCV CNTGCF[ JCU +2 CFFTGUU DQWPF HTQO +0'6%()6JGUGV[RGUQHCFFTGUUGUQPC0GV9CTGUGTXGTCTGECNNGF UGEQPFCT[ +2 CFFTGUUGU #UUKIP C UGEQPFCT[ +2 CFFTGUU VQ CP KPVGTHCEGYKVJVJG#&&5'%10+2#&&4'55EQOOCPFCU KPVJKUGZCORNGYJKEJCFFU+2CFFTGUUVQCPGZKUVKPI KPVGTHCEG ADD SECONDARY IPADDRESS 192.168.10.253
0QVGIPADDRESS is all one word!
0GV9CTGYKNNNQQMCVVJGCFFTGUUGUCNTGCF[CUUKIPGFVQVJGKPVGTHCEGU CPF CFF VJG UGEQPFCT[ +2 CFFTGUU VQ VJG KPVGTHCEG VJCV KU CNTGCF[ Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 32
Chapter 2 - The Basics
November 30, 2001
EQPHKIWTGF HQT VJCV PGVYQTM TCPIG #ICKP CP GZCORNG YQWNF DG VQ JCXGCEWTTGPVDKPFKPIQHQPCPKPVGTHCEG EQPHKIWTGF YKVJ +0'6%() WPFGT $KPFKPIU 6%2+2 CPF #&& 5'%10 +2#&&4'55CVVJGUGTXGTEQPUQNG;QWYQWNFVJGP JCXG VYQ CFFTGUUGU CUUKIPGF VQ VJG UCOG KPVGTHCEG 1PEG [QW JCXG GZGEWVGFVJG #&& EQOOCPF VJG+2 CFFTGUUKUKPUVCPVN[CXCKNCDNGŌ [QWFQPQVJCXGVQTGKPKVKCNK\GQTTGDQQVVJGUGTXGT 5GEQPFCT[+2CFFTGUUGUFQPQVUJQYWRYJGPV[RKPI%10(+)CVVJG UGTXGTCPFVJG[FQPQVUJQYWRKPVJG$KPFKPIUOGPWQH+0'6%() ;QWFKURNC[VJGUGEQPFCT[+2CFFTGUUGUYKVJVJGEQOOCPF DISPLAY SECONDARY IPADDRESS
+H [QW YKUJ VQ TGOQXG C UGEQPFCT[ +2 CFFTGUU WUG VJG EQOOCPF &'.'6' 5'%10 +2#&&4'55 CU KP VJKU GZCORNG VJCV TGOQXGUVJGRTGXKQWUN[FGHKPGFUGEQPFCT[CFFTGUUQH DELETE SECONDARY IPADDRESS 192.168.10.253
Caution! Secondary IP addresses are not permanent – you need to put the ADD SECONDARY IPADDRESS 129.168.10.253 command in AUTOEXEC.NCF (after the primary bindings are made) so that the addresses will be available after a server reboot.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 33
Chapter 2 - The Basics
November 30, 2001
NAT (Routing) versus Proxy $QTFGT/CPCIGT RTQXKFGU OQTG VJCP QPG OGCPU QH IGVVKPI VQ VJG +PVGTPGVŌWUKPIC)CVGYC[UGTXKEGWUKPIC2TQZ[UGTXKEG QPN[*662 RTQZ[KP$QTFGT/CPCIGTCPFUGXGTCNRTQZKGUKP$QTFGT/CPCIGT QTNCVGTQTWUKPIUKORNGTQWVKPI(QTVJGRWTRQUGUQHVJKUDQQM VJGFKHHGTGPEGKUVJCVUKORNGTQWVKPITGSWKTGUOQTGUGVWRQPVJGRCTVQH VJGCFOKPKUVTCVQTKPVGTOUQHHKNVGTGZEGRVKQPU0#6CPF&05 9JGP WUKPI C 2TQZ[ UGTXKEG QP $QTFGT/CPCIGT VJG QTKIKPCVKPI RTQITCO CV VJG 2% C DTQYUGT HQT GZCORNG KU PQTOCNN[ EQPHKIWTGF YKVJCURGEKCNRTQZ[UGVVKPIVJCVRQKPVUVQVJG$QTFGT/CPCIGTRTKXCVG +2CFFTGUUCPFFGUKIPCVGFNKUVGPKPIRQTVPWODGT9JGPVJCV2%UGPFU QWVVTCHHKERCEMGVUCTGJCPFGFQHHVQVJG$QTFGT/CPCIGTRTQZ[CPF VJGRTQZ[VJGPTGIGPGTCVGUVJGRCEMGVUQPVQKVURWDNKEKPVGTHCEG YKVJ VJG$QTFGT/CPCIGTRWDNKE+2CFFTGUUCUVJGRCEMGV UUQWTEGCFFTGUU #RTQZ[FQGUPQVTQWVGVJGRCEMGVDGVYGGPKPVGTHCEGUKVTGIGPGTCVGUKV VJKUKUCPGUUGPVKCNFKHHGTGPEGDGVYGGPWUKPICRTQZ[CPFWUKPI0#6 DGECWUG0#6YKNNTGSWKTGHKNVGTGZEGRVKQPUVQCNNQYVJGRCEMGV VQDG TQWVGFDGVYGGPKPVGTHCEGUYJKNGCRTQZ[UKORN[UMKRUVJCVUVGR9JGP VJGTGVWTPVTCHHKEEQOGUDCEMVQVJG$QTFGT/CPCIGTUGTXGTVJGRTQZ[ TGIGPGTCVGUVJGTGRN[QPVQVJGRTKXCVGKPVGTHCEGYKVJVJGQTKIKPCN2%ŏU +2CFFTGUUCUVJGTGVWTPRCEMGVFGUVKPCVKQPCFFTGUU$GECWUGVJGRTQZ[ KUFQKPICNNVJGYQTMHQTVJG2%VJG2%FQGUPŏVJCXGVQDGEQPHKIWTGF YKVJ&05 CVNGCUVPQVKPVJGECUGQH*662RTQZ[PQTFQCP[URGEKCN HKNVGTUPGGFVQDGUGVWRPQTFQGUF[PCOKE0#6JCXGVQDGGPCDNGFCV VJGUGTXGT*QYGXGTVJGUGTXGTKVUGNHOWUVDGRTQRGTN[EQPHKIWTGFVQ TGUQNXG &05 SWGTKGU ;QW EQPVTQN VTCHHKE VJTQWIJ RTQZKGU D[ UGVVKPI WRCEEGUUTWNGUKPVJG$QTFGT/CPCIGTEQPHKIWTCVKQP +HTQWVKPI CUYKVJ0#6KUWUGFKPUVGCFQH2TQZ[UGTXKEGU[QWYKNN PGGFVQ •
&GHKPG C &05 GPVT[ QPVJG QTKIKPCVKPI JQUV 2% CVNGCUVKH &05 JQUVPCOGSWGTKGUCTGTGSWKTGFHQTVJGUGTXKEG UWEJCU*662
•
'PCDNG&[PCOKE0#6QPVJG$QTFGT/CPCIGTUGTXGTKHCRTKXCVG +2PGVYQTMCFFTGUUKUWUGFQPVJGKPVGTPCN.#0
+PCFFKVKQPUQOGV[RGQHHKNVGTGZEGRVKQPOWUVDGEQPHKIWTGFQPVJG $QTFGT/CPCIGT UGTXGT VQ CNNQY VJG FGUKTGF VTCHHKE VQ IQ QWV CPF VQ CNNQYVJGTGVWTPVTCHHKEVQIGVDCEMKP6JGQPN[EQPVTQNQXGTQWVDQWPF VTCHHKE KU VQ UGV WR VJG HKNVGT GZEGRVKQPU CNNQYKPI VJG VTCHHKE 6JGUG GZEGRVKQPU ECP CNNQY GXGT[ JQUV KP VJG KPVGTPCN .#0 VQ IGV QWV QT QPN[UGNGEVGF+2PGVYQTMTCPIGUQTQPN[UGNGEVGF+2CFFTGUUGU JQUVU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 34
Chapter 2 - The Basics
November 30, 2001
Dynamic NAT - for Outbound Traffic &[PCOKE0#6KUWUGFVQCWVQOCVKECNN[VTCPUNCVG CPFŎJKFGŏKPVGTPCN +2 CFFTGUUGU VQ C RWDNKE +2 CFFTGUU QP VJG $QTFGT/CPCIGT UGTXGT &[PCOKE 0#6 MGGRU VTCEM QH VJG EQPXGTUCVKQPU VCMKPI RNCEG CPF F[PCOKECNN[ EQWRNGU VJG TGVWTP VTCHHKE VQ VJG QTKIKPCN TGSWGUVGT &[PCOKE0#6KUWUWCNN[UGVWRQPVJGRTKOCT[RWDNKE+2CFFTGUUQPN[
KP +0'6%() WPFGT $KPFKPIU UGNGEV VJG RWDNKE +2 CFFTGUU VJGP UGNGEV 'ZRGTV 1RVKQPU 9KVJ F[PCOKE 0#6 CNN VJG+2 RCEMGVU UGPV QWVYKNNJCXGVJGUCOGUQWTEG+2CFFTGUU
Figure 2-5 - INETCFG, Bindings, , Expert TCP/IP Bind Options, Network Address Translation
(KIWTG CDQXG UJQYU CP GPVT[ KP +0'6%() HQT DQVJ UVCVKE CPF F[PCOKE0#6GPCDNGF 5QOGRQKPVUKPTGICTFVQF[PCOKE0#6 •
&[PCOKE 0#6 OC[ PQV DG CU UGEWTG CICKPUV +PVGTPGV ŎJCEMUŏ CU WUKPIRTQZKGU
•
&[PCOKE 0#6 UVKNN TGSWKTGU HKNVGT GZEGRVKQPU VQ CNNQY VTCHHKE VJTQWIJHTQOVJGKPVGTPCN.#0VQVJG+PVGTPGV
•
&[PCOKE 0#6 KU WUGF VQ CNNQY QWVDQWPF VTCHHKE Ō VTCHHKE QTKIKPCVKPIHTQOCJQUVQP[QWTKPVGTPCN.#0
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 35
Chapter 2 - The Basics
November 30, 2001
NAT Implicit Filtering +H [QW JCXG C UGTXKEGTWPPKPI FKTGEVN[ QPVJG $QTFGT/CPCIGTUGTXGT VJCV[QWPGGFVQCEEGUUHTQOVJG+PVGTPGVQT[QWJCXGUVCVKE0#6UGV WR [QW PGGF VQ FKUCDNG 0#6 +ORNKEKV (KNVGTKPI YJGP [QW GPCDNG &[PCOKE 0#6 0#6 +ORNKEKV (KNVGTKPI FTQRU KPDQWPF RCEMGVU HQT EQPPGEVKQPUVJCVFKFPQVQTKIKPCVGHTQOVJGRWDNKE+2CFFTGUU+H0#6 +ORNKEKV(KNVGTKPIKUGPCDNGFŌCPFKVKUGPCDNGFD[FGHCWNVŌ UQOGQH KPDQWPFRCEMGVUCTGUKORN[FTQRRGFCPFPQVJKPIYKNNDGUGGPKP6%2 +2 &'$7) (KNVGTKPI FQGU PQV FKUECTF VJG RCEMGVU UQ PQ &+5%#4&FCVCYKNNDGUGGP $GHQTGUQOGQHVJGNCVGT0GV9CTGUWRRQTVRCEMUYGTGTGNGCUGFQPN[C EQOOCPF GPVGTGF CV VJG UGTXGT RTQORV QT KP #761':'%0%( EQWNFDGWUGFVQFKUCDNG0#6+ORNKEKV(KNVGTKPI 5GGDGNQY
Disabling NAT Implicit Filtering in INETCFG +H [QW JCXG VJG NCVGUV 0GV9CTG 5WRRQTV 2CEM KPUVCNNGF [QW UJQWNF JCXG CP QRVKQP KP +0'6%() 2TQVQEQNU 6%2+2 HQT GPCDNKPI QT FKUCDNKPI0#6+ORNKEKV(KNVGTKPI
Figure 2-6 - INETCFG - Option to Disable NAT Implicit Filtering
6JG UGVVKPI UJQYP KP (KIWTG YCU VCMGP HTQO C 0GV9CTG UGTXGT YKVJ 6%2+2 XGTUKQP W CPF VJG 0952 UWRRQTV RCEM KPUVCNNGF 6JG QRVKQP HQT FGCF ICVGYC[ FGVGEVKQP KU TGNCVGF VQ C 6%2+2RCVEJCPF[QWOC[PQVUGGVJCVQRVKQPQP[QWTUGTXGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 36
Chapter 2 - The Basics
November 30, 2001
Disabling NAT Implicit Filtering at the Server Console Prompt #FF VJG HQNNQYKPI EQOOCPF VQ #761':'%0%( UQ VJCV VTCHHKE KU CNNQYGFVQŎIGVKPVQŏVJG$QTFGT/CPCIGTUGTXGT SET NAT DYNAMIC MODE TO PASS THRU=ON
+PIGPGTCNKH[QWJCXGF[PCOKE0#6GPCDNGFCPFUQOGVJKPIQPVJG UGTXGTKUPŏVYQTMKPIVT[VJGCDQXG5'6EQOOCPF
Security Implications for Disabling NAT Implicit Filtering +P IGPGTCN VJGTG CTG PQ KORNKECVKQPU HQT FKUCDNKPI 0#6 KORNKEKV HKNVGTKPI DGECWUG KH [QW PGGF VQ FKUCDNG KV [QW CTG TWPPKPI UQOG UGTXKEG QP VJG $QTFGT/CPCIGT UGTXGT KVUGNH QT VJTQWIJ UVCVKE 0#6 9KVJQWVFKUCDNKPI0#6KORNKEKVHKNVGTKPI[QWYQWNFPQVJCXGCEEGUU VQVJQUGUGTXKEGU *QYGXGT VJGTG KU CP CNVGTPCVKXG VJCV OCMGU WUG QH JQY UVCVKE 0#6 HWPEVKQPU 5JQWNF [QW PGGF VQ CNNQY CEEGUU VQ C TGXGTUG RTQZ[ QT IGPGTKERTQZ[QP$QTFGT/CPCIGTCPFYKUJVQFKUCDNG0#6+ORNKEKV (KNVGTKPI HQT LWUV VJCV +2 CFFTGUU [QW ECP UVCVKE 0#6 VJG RWDNKE +2 CFFTGUU VQ KVUGNH 9JCV YKNN JCRRGP VJGP KU VJCV VJG UVCVKE 0#6 CUUKIPOGPV UJQWNF RTGGORV VJG 0#6 HKNVGTKPI CPF CNNQY VTCHHKE VJTQWIJVQVJGUGTXKEGNKUVGPKPIQPVJCV+2CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 37
Chapter 2 - The Basics
November 30, 2001
Static NAT - for Inbound Traffic 5VCVKE 0#6 KU WUGF VQ CNNQY KPDQWPF VTCHHKE VJTQWIJ C $QTFGT/CPCIGTHKTGYCNNVQCURGEKHKEKPVGTPCNJQUV+2CFFTGUU+H[QW YCPV VQ OCMG CP KPVGTPCN JQUV CXCKNCDNG VQ VJG +PVGTPGV YKVJ $QTFGT/CPCIGT [QWT QRVKQPU CTG VQ UGV WR UVCVKE 0#6 CPF CRRTQRTKCVGHKNVGTGZEGRVKQPUQT4GXGTUG2TQZ[5VCVKE0#6KPXQNXGU RCKTKPI CP CFFTGUU QP VJG RWDNKE UKFG QH VJG $QTFGT/CPCIGT UGTXGT YKVJVJG+2CFFTGUUQHCP[KPVGTPCNJQUVQP[QWTPGVYQTM 5VCVKE0#6KUWUWCNN[FQPGYKVJCUGEQPFCT[+2CFFTGUUCUUKIPGFVQ VJG RWDNKE KPVGTHCEG KP C $QTFGT/CPCIGT UGTXGT 7UKPI 5VCVKE 0#6 YKVJVJGRTKOCT[RWDNKE+2CFFTGUUQPVJG$QTFGT/CPCIGTUGTXGTYKNN TGUWNVKPCNOQUVCNN$QTFGT/CPCIGTUGTXKEGUHCKNKPI 5VCVKE0#6TGSWKTGUHKNVGTGZEGRVKQPUVQYQTM)GPGTCNN[[QWUGVWR QPGHKNVGTGZEGRVKQPVQCNNQYFGUKTGFVTCHHKE61VJGRTKXCVGKPVGTPCN+2 CFFTGUU CPF C UGEQPF HKNVGT GZEGRVKQP VQ CNNQY VTCHHKE (41/ VJG UGEQPFCT[+2CFFTGUU 0QVGThat's right - I said the filter exceptions for static NAT use the internal IP address of the host, not the IP address assigned on the BorderManager server!
5VCVKE0#6QHHGTUNGUUUGEWTKV[VJCP4GXGTUG2TQZ[FQGU ;QW ECP QPN[ EQPHKIWTG QPG UVCVKE 0#6 CFFTGUU RCKT HQT CP[ +2 CFFTGUU+H[QWYCPVOQTGVJCPQPGKPVGTPCNJQUVVQDGCXCKNCDNGVQVJG +PVGTPGV VJTQWIJ UVCVKE 0#6 [QW YKNN JCXG VQ JCXG OQTG VJCP QPG RWDNKEUKFG+2CFFTGUUCUUKIPGFVQVJGUGTXGT (QT KPUVCPEG [QW JCXG VYQ KPVGTPCN (62 UGTXGTU [QW YKUJ VQ IGV VQ HTQO VJG +PVGTPGV CPF ;QW JCXG CUUKIPGFCUGEQPFCT[+2CFFTGUUQHVQ[QWT$QTFGT/CPCIGT RWDNKE +2 KPVGTHCEG ;QW UGV WR C UVCVKE 0#6 CFFTGUU RCKT QH RWDNKE CPF RTKXCVG ;QW ECPPQV PQY CUUKIP VJG CFFTGUU CU C UVCVKE 0#6 RCKT WPNGUU [QW CFFQPGOQTGRWDNKE+2CFFTGUUUWEJCU 5VCVKE0#6ECPDG CPFWUWCNN[KUEQPHKIWTGFKPCFFKVKQPVQF[PCOKE 0#6
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 38
Chapter 2 - The Basics
November 30, 2001
Static NAT and Filtering 6JG TGCFGT YKNN QDUGTXG NCVGT KP VJKU DQQM VJCV HKNVGT GZEGRVKQPU HQT UVCVKE0#6CTGCRRNKGFFKHHGTGPVN[VJCPHKNVGTGZEGRVKQPUHQTCTGXGTUG RTQZ[5RGEKHKECNN[VJGHKNVGTGZEGRVKQPUHQTUVCVKE0#6CTGCRRNKGFVQ VJG KPVGTPCN +2 CFFTGUU QH VJG JQUV KP VJG UVCVKE 0#6 EQPHKIWTCVKQP YJKNG VJG HKNVGT GZEGRVKQPU HQT TGXGTUG RTQZ[ CTG CRRNKGF VQ VJG UGEQPFCT[ +2 CFFTGUU QP VJG $QTFGT/CPCIGT UGTXGT CPF PQV VJG KPVGTPCN+2CFFTGUUQHVJGYGDUGTXGTDGKPITGXGTUGCEEGNGTCVGF6JG TGCUQPHQTVJKUJCUVQFQYKVJJQYHKNVGTKPIYQTMUKPTGNCVKQPVQ0#6 9JGP [QW GPCDNG UVCVKE 0#6 QP CP KPVGTHCEG WUWCNN[ VJG RWDNKE KPVGTHCEGXKCVJGRWDNKE+2CFFTGUUDKPFKPIXKUWCNK\G0#6CU DGKPI QP VJG KPVGTHCEG DWV HKNVGTKPI CU JCRRGPKPI KP VJG OKFFNG QH VJG UGTXGT9JGPRCEMGVUEQOGKPVQVJGUGTXGTHTQOVJGRWDNKEUKFGVJG[ YKNNHKTUVDGCEVGFWRQPD[0#6CPFVJGPD[HKNVGTKPI6JWUVJGHKNVGT GZEGRVKQPUHQTUVCVKE0#6 YJKEJKURTKOCTKN[WUGFVQCNNQYKPDQWPF VTCHHKE JCXG VQ DG UGV WRHQT VJG VTCHHKE CHVGT VJG CFFTGUU EQPXGTUKQP JCUQEEWTTGF %QPXGTUGN[HQTVJGQWVDQWPFVTCHHKEHKNVGTKPIJCRRGPUHKTUVCPFVJGP VJG0#6VTCPUNCVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 39
Chapter 2 - The Basics
November 30, 2001
Setting up Static NAT 6JG HQNNQYKPI KPUVTWEVKQPU UJQY JQY VQ WUG +0'6%()0./ CV VJG UGTXGTEQPUQNGVQGPVGTCUVCVKE0#6CFFTGUURCKT;QWOWUVHKTUVJCXG VJGRWDNKE+2CFFTGUUEQPHKIWTGFQPVJGUGTXGT
Figure 2-7 - INETCFG, Network Address Translation
#V VJG $QTFGT/CPCIGT UGTXGT EQPUQNG RTQORV V[RG .1#& +0'6%()UGNGEV $KPFKPIUUGNGEV[QWTRWDNKE+2CFFTGUU UGNGEV 'ZRGTV 6%2+2 $KPF 1RVKQPU CPF [QW YKNN DG CDNG VQ UGNGEV VJG OGPWGPVT[HQT0GVYQTM#FFTGUU6TCPUNCVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 40
Chapter 2 - The Basics
November 30, 2001
Figure 2-8 - INETCFG - Select Static and Dynamic NAT
+H[QWJCXGCP[UGEQPFCT[+2CFFTGUUGUUGVWRCPF[QWYCPVVQ WUG UVCVKE0#6CUYGNNCUF[PCOKE0#6UGNGEV5VCVKECPF&[PCOKE
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 41
Chapter 2 - The Basics
November 30, 2001
Figure 2-9 - INETCFG - Entering Static NAT Mappings
+H[QWUGNGEV UVCVKE0#6QT5VCVKECPF&[PCOKECUCPQRVKQP[QW OWUV GPVGT C RWDNKERTKXCVG CFFTGUU RCKT 'PVGTVJG RWDNKE +2 CFFTGUU [QWCTGWUKPIHQTUVCVKE0#6CPFVJGKPVGTPCN+2CFFTGUUQHVJGUGTXGT DGKPI CEEGUUGF XKC UVCVKE 0#6 5CXG VJG EJCPIGU GZKV VQ VJG OCKP OGPWCPFUGNGEV4GKPKVKCNK\G5[UVGOVQRWVVJGPGYUVCVKE0#6VCDNG KPVQGHHGEV ;QWOC[PQVKEGVJCVVJGRTKXCVG+2CFFTGUUKUOCRRGFVQKVUGNH KPVJG GZCORNG KP (KIWTG CDQXG 6JKU OCRRKPI YCU RWV KP VQ YQTM CTQWPF C 0#6 KUUWG YKVJ EGTVCKP XGTUKQPU QH $QTFGT/CPCIGT CPF 820+H[QWECPRKPIVJGRTKXCVG+2CFFTGUUQHVJG$QTFGT/CPCIGT UGTXGTQXGTC820EQPPGEVKQP[QWFQPQVPGGFVJKUOCRRKPI 0QVGShould you at any time delete the private interface network card setting in INETCFG and recreate it, or if you first set up the public interface before setting up the private interface, you may find you have a problem. In at least some versions of NetWare (4.11 and 5.0 have been seen to do this under various patch levels), static NAT will not retain the address pairs following a reboot. The cause is that the public interface gets loaded first, and for some reason that wipes out the static NAT settings. The cure is to go into INETCFG, remove the public interface definition and reinitialize system (possibly even reboot the server). Then go back into INETCFG and re-enter the public interface definition and bindings. An even better solution might be to simply rename the existing SYS:ETC\NETINFO.CFG and SYS:ETC\TCPIP.CFG files and recreate all the settings in INETCFG.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 42
Chapter 2 - The Basics
November 30, 2001
Static NAT versus Reverse Proxy Acceleration #NN XGTUKQPU QH $QTFGT/CPCIGT QHHGT 4GXGTUG 2TQZ[ #EEGNGTCVKQP
HQT *662 UQOGVKOGU LWUV ECNNGF #EEGNGTCVKQP 6JKU ECRCDKNKV[ ECP ITGCVN[ GPJCPEG VJG RGTHQTOCPEG CPF UGEWTKV[ QH CP KPVGTPCN YGD UGTXGT D[ OCMKPI KV CXCKNCDNG VQ VJG +PVGTPGV QPN[ VJTQWIJ C RTQZ[ 2GTHQTOCPEGGPJCPEGOGPVEQOGUCDQWVD[WUKPIVJG$QTFGT/CPCIGT *662 ECEJKPI ECRCDKNKV[ VQ QHHNQCF OQUVCNN UVCVKE *662 TGSWGUVU HTQO VJG CEVWCN YGD UGTXGT CPF UGTXKPI VJQUG TGSWGUVU HTQO FKUMOGOQT[ECEJG 5VCVKE0#6UKORN[RCUUGUVJGKPDQWPFVTCHHKEVJTQWIJ$QTFGT/CPCIGT FKTGEVN[VQVJGKPVGTPCNYGDUGTXGTCUNQPICUHKNVGTGZEGRVKQPUCTGKP RNCEGVQCNNQYVJGVTCHHKEVJTQWIJ 4GXGTUG RTQZ[ KH WUKPI C UGEQPFCT[ +2 CFFTGUU TGSWKTGU C HKNVGT GZEGRVKQP 4GXGTUG RTQZ[ EQPHKIWTGF VQ WUG VJG RTKOCT[ RWDNKE $QTFGT/CPCIGT +2 CFFTGUU FQGU PQV TGSWKTG C EWUVQO HKNVGT GZEGRVKQPDGECWUGQPGKUCFFGFHQT[QWYJGPVJGFGHCWNVHKNVGTUCTGUGV WR $QVJ UVCVKE 0#6 CPF TGXGTUG RTQZ[ CEEGNGTCVKQP CWVQOCVKECNN[ RCUU %)+UETKRVFCVCVJTQWIJYKVJQWVECEJKPIVJGFCVC &[PCOKERCIGUCTGWUWCNN[IGPGTCVGFWUKPI%)+ %QOOQP)CVGYC[ +PVGTHCEG WUKPI NCPIWCIGU UWEJ CU 2'4. QT #52 4GXGTUG RTQZ[ CEEGNGTCVKQPRCUUGU%)+UETKRVFCVCVJTQWIJYKVJQWVECEJKPIVJGFCVC *QYGXGTGNGOGPVUQHF[PCOKERCIGUUWEJCUITCRJKEUECPUVKNNVCMG CFXCPVCIGQHVJGTGXGTUGRTQZ[ECEJG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 43
Chapter 2 - The Basics
November 30, 2001
Viewing & Capturing TCP/IP Traffic ;QW YKNN CNOQUV EGTVCKPN[ YCPV VQ FGDWI C HKNVGT GZEGRVKQP CV UQOG RQKPV QT [QW LWUV OC[ DG EWTKQWU VQ UGG VJG CEVWCN +2 VTCHHKE QP C 0GV9CTGUGTXGT%WTTGPVN[VJGDGUVVQQNUWRRNKGFYKVJ0GV9CTGKUC UGV EQOOCPF VJCV CNNQYU [QW VQ UGG CNN VJG +2 RCEMGVU JKVVKPI VJG UGTXGTKPTGCNVKOG6JGEQOOCPFVQGPCDNGXKGYKPIQHVJGVTCHHKEKU SET TCP IP DEBUG=1
#PFVJGEQOOCPFVQVWTPQHHVJGXKGYKPIKU SET TCP IP DEBUG=0
;QWOC[HKPFKVEQPXGPKGPVVQOCMGCP0%(HKNGVQVWTPVJKUFGDWIQP CPFQHHYKVJQWVJCXKPIVQV[RGKVQWVGCEJVKOG(QTKPUVCPEGUGVWRC &0%(HKNGKP5;55;56'/YKVJVJGUVCVGOGPVCPFC&0%( HKNG YKVJ VJG UVCVGOGPV 6JGP UKORN[ V[RG & CV VJG EQPUQNG VQ GPCDNGFGDWIIKPICPF&CVVJGEQPUQNGVQFKUCDNGKV;QWEQWNFCNUQ CFF .1#& %10.1) /#: CV VJG DGIKPPKPI QH &0%( CPF 70.1#& %10.1) CV VJG GPF QH &0%( VQ OQTG GCUKN[ ECRVWTG VJG FCVC EJCPIGU VQ C NQI HKNG 4GOGODGT VJCV NGCXKPI 6%2 +2 &'$7) QP HQT C RGTKQF QH VKOG ECP ETGCVG JWIG U[UGVE>EQPUQNGNQI HKNGU KH [QW FQ PQV WUG VJG /#: RCTCOGVGT VQ NKOKVVJGUK\GQHVJGNQIHKNG*GTGCTGUQOGGZCORNGU REM D1.NCF LOAD CONLOG SET TCP IP DEBUG=1 REM D0.NCF SET TCP IP DEBUG=0 UNLOAD CONLOG
6JKUKUCXGT[JCPF[OGVJQFHQTUGGKPIYJCVRQTVUCPFCFFTGUUGUCTG KPWUGCPFYJCVKUDGKPIHKNVGTGFDWVCRTQFWEVKQPUGTXGTECPJCXGUQ OWEJVTCHHKEQPKVVJCVKVECPDGPGCTN[KORQUUKDNGVQECVEJVJGVTCHHKE QH KPVGTGUV $GUV VQ WUG VJKU EQOOCPF YJGP NKVVNG QT PQ QVJGT VTCHHKE GZKUVUQPVJGUGTXGTVJCP[QWTVGUVVTCHHKE;QWOC[PGGFVQUGVWRCP KUQNCVGF PQPRTQFWEVKQP $QTFGT/CPCIGT UGTXGT LWUV HQT VGUVKPI
CNYC[UCIQQFKFGCYJGPOQFKH[KPIHKNVGTU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 44
Chapter 2 - The Basics
November 30, 2001
;QWEQWNFUGGCITGCVFGCNQHGZVTCPGQWUFCVCHTQO6%2+2&'$7) CPF OWEJ QH KV YKNN DG PQTOCN (QT GZCORNG NQQRDCEM RCEMGVU QP 0GV9CTGUGTXGTUCUYGNNCUOWNVKECUVVTCHHKECTGV[RKECNCPFUJQWNF DGKIPQTGF5GGVJG1FFU'PFUUGEVKQPHQTCDTKGHGZRNCPCVKQPQH VJG 5'6 (+.6'4 &'$7)10 UVCVGOGPV CXCKNCDNG QP $QTFGT/CPCIGT QT NCVGT CU CP CNVGTPCVKXG VQ 5'6 6%2 +2 &'$7)
Static NAT Example Debug Trace *GTGKUCPGZCORNGQHYJCVC2+0)VGUVNQQMUNKMGYKVJ5'66%2+2 &'$7)YJGPUGPVQWVVJTQWIJCUVCVKE0#6EQPPGEVKQP;QWYKNN UGG C RCEMGV IQKPI HTQO VJG JQUV VJGP DGKPI TGIGPGTCVGFYKVJCPGYUQWTEGCFFTGUU6JGUVCVKE0#6EQPHKIWTCVKQP QP VJG $QTFGT/CPCIGT UGTXGT JCU CU VJG RWDNKE 0#6 CFFTGUUCPFCUVJGRTKXCVG0#6CFFTGUU6JGJQUVKU RKPIKPI +2 CFFTGUU CPF VJG VTCEG KU VCMGP HTQO VJG $QTFGT/CPCIGTUGTXGT RECEIVE:pktid:38936 192.168.10.251->4.3.2.100 ttl:128 (ICMP)Echo Request FORWARD:pktid:38936 4.3.2.253->4.3.2.100 ttl:127 (ICMP)Echo Request
6JG QTKIKPCVKPI JQUV UGPFU C 2+0) RCEMGV VQ 0#6TGIGPGTCVGUVJGRCEMGVCPFHQTYCTFUVJGRCEMGVCUKHKV ECOGHTQOVJGRWDNKEUKFGQHVJGUVCVKE0#6CFFTGUU RECEIVE:pktid:38936 4.3.2.100->4.3.2.253 ttl:255 (ICMP)Echo Reply FORWARD:pktid:38936 4.3.2.100->192.168.10.251 ttl:254 (ICMP)Echo Reply
*GTGKUVJGTGRN[VTCHHKE*QUVUGPFUKVUTGRN[VQ CPF UVCVKE 0#6 TGIGPGTCVGU KV CPF HQTYCTFU VJG RCEMGV VQ VJG 0#6 RTKXCVGCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 45
Chapter 2 - The Basics
November 30, 2001
Setting up Default BorderManager Filters with BRDCFG 9JGP[QWKPUVCNN$QTFGT/CPCIGTQPGQHVJGUVGRUKPXQNXGFKUVQTWP VJG$4&%()0./VQUGVWRVJGFGHCWNVHKNVGTU$[FGUKIPVJGFGHCWNV HKNVGTU DNQEM CNN VTCHHKE VQ CPF HTQO VJG RWDNKE +2 CFFTGUU QP VJG $QTFGT/CPCIGT UGTXGT CPF [QW JCXG VQ URGEKH[ VJG CFFTGUU $4&%() CNUQ UGVU WR FGHCWNV HKNVGT GZEGRVKQPU VQ CNNQY VJG $QTFGT/CPCIGTRTQZKGUVQYQTMCUYGNNCU820EQPPGEVKQPU ;QW ECP CNYC[U CFF VJG FGHCWNV HKNVGTU CPF FGHCWNV HKNVGT GZEGRVKQPU DCEM KPVQ VJG $QTFGT/CPCIGT UGTXGT D[ TWPPKPI $4&%() CICKP +V YKNN QPN[ CFF HKNVGTU CPF HKNVGT GZEGRVKQPU CPF KV YKNN PQV FGNGVG CP[ HKNVGTU QT GZEGRVKQPU VJCV CNTGCF[ GZKUVU +H [QW JCXG UGV WR C HKNVGT GZEGRVKQPVQCNNQYVQQOWEJVTCHHKEVJTQWIJCFFKPIDCEMVJGFGHCWNV HKNVGTUYKNNPQVOQFKH[[QWTGZEGRVKQPCPF[QWTUGTXGTYKNNUVKNNPQVDG UGEWTG
The Default Filtering Action +VKUKORQTVCPVVJCV [QWTHKNVGTUCTG UGV WR VQ Ŏ&GP[ 2CEMGVUKP (KNVGT .KUVŏUQVJCVVJGHKNVGTUDNQEMVTCHHKECPFVJGGZEGRVKQPUCNNQYVTCHHKE
Figure 2-10 - FILTCFG - Deny Packets in Filter List
6JG UETGGPUJQV UJQYP KP (KIWTG KU JQY [QW UJQWNF JCXG [QWT HKNVGTUEQPHKIWTGF Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 46
Chapter 2 - The Basics
November 30, 2001
What are the Default Filters? 6JGFGHCWNVHKNVGTUDNQEMCNNVTCHHKEDGVYGGPVJGRWDNKEKPVGTHCEGCPFCNN RTKXCVG KPVGTHCEGU KP DQVJ FKTGEVKQPU CU YGNN CU CNOQUV CNN VTCHHKE HTQO VJG +PVGTPGV VQ VJG RWDNKE KPVGTHCEG (KNVGTU CTG UGV WR VQ DNQEM TQWVKPIWRFCVGUCUYGNNCU6%2CPF7&2VTCHHKE6JGFGHCWNVHKNVGTUFQ PQV DNQEM VTCHHKE VQ QT HTQO VJG RTKXCVG KPVGTHCEG U GZEGRV HTQO RTKXCVG VQ RWDNKE KPVGTHCEG $[ EWVVKPI QHH VTCHHKE DGVYGGP VJG RWDNKE CPF RTKXCVG KPVGTHCEGU $QTFGT/CPCIGT EQPVTQNU DQVJ KPEQOKPI CPF QWVIQKPIVTCHHKE
BorderManager 3.x Default Filters 6JGHQNNQYKPIKUCNKUVQHCNNQHVJGFGHCWNVHKNVGTU PQVGZEGRVKQPUUGV WRD[$4&%()0./HQT$QTFGT/CPCIGTZYKVJ820EQPHKIWTGF 5JQWNF [QW UGG CFFKVKQPCN HKNVGTU WUKPI (+.6%()0./ [QW OC[ JCXG CEEKFGPVCNN[ WUGF $4&%()0./ VYKEG QPEG QP VJG RWDNKE KPVGTHCEG CPF QPEG QP VJG RTKXCVG KPVGTHCEG ;QW YQWNF PGGF VQ FGNGVGVJGKPEQTTGEVGPVTKGUVQIGV$QTFGT/CPCIGTVQHWPEVKQP6JGUG HKNVGT FGHKPKVKQPU CTG DCUGF QP VJG GZCORNG EQPHKIWTCVKQP UJQYP GCTNKGT KP VJKU DQQM +2 0GVYQTM KU VJG XKTVWCN +2 PGVYQTMCUUKIPGFHQTVJG8206JGPCOGQHVJGKPVGTHCEGEQPPGEVGF VQ VJG +PVGTPGV UKFG QH VJG $QTFGT/CPCIGT UGTXGT KU 27$.+% 0Q #RRNG6CNM RTQVQEQN YCU GPCDNGF QP VJG $QTFGT/CPCIGT UGTXGT QT UQOGHKNVGTURGTVCKPKPIVQ#RRNG6CNMYQWNFCNUQJCXGUJQYPWR 1WVIQKPI4+2(KNVGTU •
(KNVGTGF4QWVG4QWVGVQ0GVYQTMQT*QUV0GVYQTM+2CFFTGUUQH 0GVYQTM*QUV 5WDPGVYQTM OCUM &Q 0QV #FXGTVKUG 4QWVG 6Q &GUVKPCVKQP 6[RG +PVGTHCEG &GUVKPCVKQP 826700'.
•
(KNVGTGF 4QWVG 4QWVG VQ 0GVYQTM QT *QUV 0GVYQTM +2 CFFTGUU 5WDPGVYQTM OCUM &Q 0QV #FXGTVKUG 4QWVG 6Q &GUVKPCVKQP V[RG +PVGTHCEG &GUVKPCVKQP #NN+PVGTHCEGU
•
(KNVGTGF4QWVG4QWVGVQ0GVYQTMQT*QUV0GVYQTM+2CFFTGUUQH 0GVYQTM*QUV 5WDPGVYQTM OCUM &Q 0QV #FXGTVKUG 4QWVG 6Q &GUVKPCVKQP V[RG +PVGTHCEG &GUVKPCVKQP 826700'.
•
(KNVGTGF4QWVG4QWVGVQ0GVYQTMQT*QUV0GVYQTM+2CFFTGUUQH 0GVYQTM*QUV5WDPGVYQTMOCUM&Q0QV #FXGTVKUG 4QWVG 6Q &GUVKPCVKQP V[RG +PVGTHCEG &GUVKPCVKQP 826700'.
+PEQOKPI4+2(KNVGTU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 47
Chapter 2 - The Basics
November 30, 2001
•
(KNVGTGF4QWVG4QWVGVQ0GVYQTMQT*QUV#NN4QWVGU+2CFFTGUU QH0GVYQTM*QUVDNCPM 5WDPGVYQTMOCUMDNCPM &Q0QV #EEGRV4QWVG(TQO5QWTEG6[RG+PVGTHCEG5QWTEG27$.+%
1WVIQKPI')2(KNVGTU •
(KNVGTGF4QWVG4QWVGVQ0GVYQTMQT*QUV#NN4QWVGU+2CFFTGUU QH 0GVYQTM*QUV DNCPM 5WDPGVYQTM OCUM DNCPM &Q 0QV #FXGTVKUG 4QWVG 6Q &GUVKPCVKQP 6[RG +PVGTHCEG &GUVKPCVKQP 27$.+%
+PEQOKPI')2(KNVGTU •
(KNVGTGF4QWVG4QWVGVQ0GVYQTMQT*QUV#NN4QWVGU+2CFFTGUU QH0GVYQTM*QUVDNCPM 5WDPGVYQTMOCUMDNCPM &Q0QV #EEGRV4QWVG(TQO5QWTEG6[RG+PVGTHCEG5QWTEG27$.+%
152('ZVGTPCN4QWVG(KNVGTU •
4QWVGUFGPKGF#NN4QWVGU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 48
Chapter 2 - The Basics
November 30, 2001
2CEMGV(QTYCTFKPI(KNVGTU 6JGFGHCWNVRCEMGVHQTYCTFKPIHKNVGTUCTGYJCVUVQRVTCHHKEHTQODGKPI TQWVGF VJTQWIJ $QTFGT/CPCIGT YJGVJGT QT PQV [QW JCXG RWDNKE +2 CFFTGUUGU KPVGTPCNN[ UVCVKE 0#6 F[PCOKE 0#6 YJCVGXGT 6JG EQPEGRVKUUKORNGDNQEMCNNVTCHHKE61VJGRWDNKEKPVGTHCEGCPFDNQEM CNNVTCHHKE(41/VJGRWDNKEKPVGTHCEG +VKUKORQTVCPV VQFKUVKPIWKUJ C FKHHGTGPEG DGVYGGPVJG FGHCWNV HKNVGTU CPFVJGFGHCWNVGZEGRVKQPU6JGFGHCWNVHKNVGTUEQXGTVJGGPVKTGRWDNKE KPVGTHCEG YJKNG VJG FGHCWNV GZEGRVKQPU CNN ECNN QWV VJG RWDNKE +2 CFFTGUUGKVJGTCUUQWTEGQTFGUVKPCVKQP$GECWUGQHVJKUVJGFGHCWNV GZEGRVKQPU FQ PQV CNNQY VTCHHKE VQ QT HTQO UGEQPFCT[ RWDNKE +2 CFFTGUUGUYJKNGVJGFGHCWNVHKNVGTUDNQEMUWEJVTCHHKE #NUQPQVGVJCVVJGFGHCWNVHKNVGTUCTGDCUGFQPVJGKPVGTHCEGPCOGPQV CP +2 CFFTGUU QT KPVGTHCEG PWODGT +H [QW UJQWNF TGPCOG [QWT RWDNKEKPVGTHCEG[QWYKNNPQNQPIGTDGHKNVGTKPICP[RCEMGVUŌWPVKN [QWWRFCVGVJGFGHCWNVHKNVGTUWUKPI$4&%() (KNVGT GZEGRVKQPU CNYC[U QXGTTKFG HKNVGTU Ō [QW ECPPQV QXGTTKFG CP GZEGRVKQPYKVJCPCFFKVKQPCNHKNVGT 'CEJQHVJGFGHCWNVRCEMGVHQTYCTFKPIHKNVGTUKUUJQYPPGZV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 49
Chapter 2 - The Basics
November 30, 2001
FILTCFG Examples – The Default Filters 6JG HQNNQYKPI UETGGPUJQVUUJQY YJCVVJG FGHCWNVHKNVGTUUJQWNF NQQM NKMG+VKUGZVTGOGN[KORQTVCPVVJCVVJGKPVGTHCEGPCOGECNNGFQWVQP [QWT $QTFGT/CPCIGT UGTXGT OCVEJGU VJG EWTTGPV KPVGTHCEG PCOG UJQYP KP +0'6%() +P O[ UGTXGTU + KOOGFKCVGN[ FGNGVG VJG QNF KPVGTHCEGPCOGUCPFTGEQPHKIWTGVJGOWUKPI27$.+%CPF24+8#6'
24+8#6' CPF 24+8#6' KH + JCRRGP VQ JCXG C UGTXGT YKVJ OWNVKRNG RTKXCVG +2 CFFTGUUGU 0QV QPN[ FQGU VJKU OCMG KV OWEJ UKORNGTYJGPCFFKPIEWUVQOHKNVGTGZEGRVKQPUKVCNUQKUOQTGHNGZKDNG KPVJCV+ECPTGRNCEGCPGVYQTMECTFCPFPQVDGVKGFVQKVUQNFPCOG UWEJ CU 241A QT %:A + ECP CNUQEQR[VJG HKNVGTUEHIHKNG HTQO QPG UGTXGT VQ CPQVJGT YKVJQWV JCXKPI VQ OCMG EJCPIGU GZEGRV YJGTGRWDNKE+2CFFTGUUGUCTGECNNGFQWV
Figure 2-11 - FILTCFG - Default Filter Blocking all IP Traffic to the Public Interface
6JGFGHCWNVHKNVGTUJQYPKP(KIWTGDNQEMUCNNVTCHHKEVQVJGRWDNKE +2CFFTGUUYJGVJGTKVEQOGUHTQOVJG+PVGTPGVQTCRTKXCVG+2CFFTGUU 9KVJQWV HKNVGT GZEGRVKQPU $QTFGT/CPCIGT ECPPQV TGEGKXG CP[ VTCHHKE HTQOVJG+PVGTPGV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 50
Chapter 2 - The Basics
November 30, 2001
Figure 2-12 - FILTCFG - Default Filter Blocking all IP Traffic from the Public Interface
6JG FGHCWNV HKNVGT UJQYP KP (KIWTG DNQEMU CNN VTCHHKE HTQO VJG RWDNKE KPVGTHCEG 9KVJQWV CFFKVKQPCN HKNVGT GZEGRVKQPU VJG RTQZ[ ECPPQVUGPFCP[VTCHHKEVQVJG+PVGTPGV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 51
Chapter 2 - The Basics
November 30, 2001
What are the Default Filter Exceptions? $QTFGT/CPCIGT Z UGVU WR VJG HQNNQYKPI FGHCWNV HKNVGT GZEGRVKQPU FGUKIPGFVQCNNQYVJGRTQZ[UGTXKEGUCPF820VQHWPEVKQP6JGUGCTG VJG HKNVGT GZEGRVKQPU CU UJQYP KP (+.6%() 'CEJ KU UJQYP KP VJG HQNNQYKPIUGEVKQPCUYGNNCUFGUETKDGFJGTG #NNQYCNNQWVDQWPF+2RCEMGVUHTQOVJG$QTFGT/CPCIGTRWDNKE+2 CFFTGUUVQVJGRWDNKEKPVGTHCEG #NNQY CNN KPDQWPF F[PCOKE 6%2 RQTVU HTQO VJG RWDNKE KPVGTHCEG VQ VJG RWDNKE +2 CFFTGUU QH VJG $QTFGT/CPCIGT UGTXGT #NNQY CNN KPDQWPF F[PCOKE 7&2 RQTVU HTQO VJG RWDNKE KPVGTHCEG VQ VJG RWDNKE +2 CFFTGUU QH VJG $QTFGT/CPCIGT UGTXGT #NNQY 6%2 RQTV HTQO VJG RWDNKE KPVGTHCEG VQ VJG RWDNKE +2 CFFTGUU QH VJG $QTFGT/CPCIGT UGTXGT KP QTFGT VQ CNNQY 820 ENKGPVUGTXGTEQOOWPKECVKQPU #NNQY 6%2 RQTV HTQO VJG RWDNKE KPVGTHCEG VQ VJG RWDNKE +2 CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGTKPQTFGTVQCNNQY820ENKGPV CWVJGPVKECVKQPVQVJGUGTXGT #NNQY 7&2 RQTV HTQO VJG RWDNKE KPVGTHCEG VQ VJG RWDNKE +2 CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGTKPQTFGTVQCNNQY820ENKGPV VQUGPFRGTKQFKEMGGRCNKXGRCEMGVUVQVJGUGTXGT #NNQYVJG5-+2RTQVQEQN RTQVQEQNHTQOVJGRWDNKEKPVGTHCEG VQVJGRWDNKE+2CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGT6JG5-+2 RTQVQEQNKUPGEGUUCT[HQT0QXGNN820VQHWPEVKQP #NNQY 6%2 RQTV *662 VTCHHKE HTQO VJG RWDNKE KPVGTHCEG VQ VJG$QTFGT/CPCIGTRWDNKE+2CFFTGUUKPQTFGTHQTVJGYGDUGTXGT CEEGNGTCVQTVQHWPEVKQP #NNQY 6%2 RQTV *662555. VTCHHKE HTQO VJG RWDNKE KPVGTHCEG VQ VJG $QTFGT/CPCIGT RWDNKE +2 CFFTGUU KP QTFGT HQT RTQZ[ CWVJGPVKECVKQP VQ C TGXGTUG YGD RTQZ[ CEEGNGTCVQT VQ HWPEVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 52
Chapter 2 - The Basics
November 30, 2001
FILTCFG Examples - The Default Filter Exceptions # ECTGHWN UVWF[ QH VJG FGHCWNV HKNVGTU UJQYU VJCV CNN +2 VTCHHKE KU DNQEMGFDGVYGGPVJGRWDNKEKPVGTHCEGCPFCNNQVJGTKPVGTHCEGUYKVJVYQ HKNVGTU6TCHHKEKUFGPKGF(41/VJGRWDNKEKPVGTHCEGVQQVJGTKPVGTHCEGU CPFVTCHHKEKUFGPKGFHTQOCNNKPVGTHCEGU61VJG27$.+%KPVGTHCEG+P DQVJECUGUVJGFGHCWNVHKNVGTUCRRN[VQCP[+2CFFTGUU6JGUG FGHCWNV HKNVGTUJCXGVJGGHHGEVPQVQPN[QHEWVVKPIQHHVTCHHKEDGVYGGPVJGRWDNKE CPF RTKXCVG KPVGTHCEGU DWV CNUQ QH EWVVKPI QHH DQVJ KPEQOKPI CPF QWVIQKPIVTCHHKEHTQOVJGRWDNKEKPVGTHCEGVQQTHTQOCP[GZVGTPCN+2 CFFTGUU %GTVCKP GZEGRVKQPU CTG TGSWKTGF KP QTFGT HQT VJG $QTFGT/CPCIGT RTQZKGU VQ HWPEVKQP CU YGNN CU VQ CNNQY VJG $QTFGT/CPCIGT 820 VQ HWPEVKQP 9KVJQWV VJGUG GZEGRVKQPU QPG YQWNF DG HQTEGF VQ OCPWCNN[ CFF URGEKHKE QT IGPGTCN HKNVGT GZEGRVKQPUKPQTFGTHQTVJGRTQZKGUVQYQTM 6JG HQNNQYKPI ITCRJKEU UJQY YJCV (+.6%() UJQWNF UJQY HQT VJG FGHCWNV HKNVGT GZEGRVKQPU VJCV CTG RTQFWEGF D[ $4&%()0./ KP $QTFGT/CPCIGTZ$QTFGT/CPCIGTKUUKOKNCT
Figure 2-13 - FILTCFG - Default Filter Exception Allowing all Outbound IP Traffic from the Public IP Address
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CNN QWVIQKPI +2 RCEMGVUHTQOVJGRWDNKE+2CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGT+P UQOGECUGUVJKUOC[CNNQYOQTGVTCHHKEQWVVJCPFGUKTGFUWEJCU5.2 RCEMGVU VJCV ECP DTKPI WR CP +5&0 FKCNWR NKPM 9KVJQWV VJKU GZEGRVKQPVJG$QTFGT/CPCIGTRTQZKGUYQWNFPQVDGCDNGVQUGPFCP[ RCEMGVUQWV Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 53
Chapter 2 - The Basics
November 30, 2001
Figure 2-14 - FILTCFG - Default Filter Exception Allowing Dynamic TCP to the Public IP Address
6JG FGHCWNV HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPEQOKPI 6%2 VTCHHKE YKVJ C FGUVKPCVKQP RQTV QH VJG JKIJ 6%2 RQTV PWODGTU KPVQVJGRWDNKE+2CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGT9KVJQWVVJKU HKNVGTGZEGRVKQPVJG$QTFGT/CPCIGTRTQZKGUYQWNFPQVUGGCTGURQPUG VQVJGKT6%2TGSWGUVU 0QVGThis default exception is probably the single biggest security hole on a typical BorderManager server. It allows inbound traffic to certain services that might be listening on the public IP address. See the chapter on advanced topics later in this book for ways to deal with this issue.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 54
Chapter 2 - The Basics
November 30, 2001
Figure 2-15 - FILTCFG - Default Filter Exception Allowing Dynamic UDP to the Public IP Address
6JG FGHCWNV HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPEQOKPI 7&2 VTCHHKE YKVJ C FGUVKPCVKQP RQTV QH VJG JKIJ 7&2 RQTV PWODGTU KPVQVJGRWDNKE+2CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGT9KVJQWVVJKU HKNVGTGZEGRVKQPVJG$QTFGT/CPCIGTRTQZKGUYQWNFPQVUGGCTGURQPUG VQVJGKT7&2TGSWGUVU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 55
Chapter 2 - The Basics
November 30, 2001
Figure 2-16 - FILTCFG - Default Filter Exception Allowing VPN Master/Slave Traffic to the Public IP Address
6JG FGHCWNV HKNVGT GZEGRVKQP UJQYP KP (KIWTG CPF OQUV QH VJG HQNNQYKPI KU WUGF VQ CNNQY 820 EQOOWPKECVKQPU VQ VJG RWDNKE +2 CFFTGUU QH VJG $QTFGT/CPCIGT UGTXGT +P VJKU ECUG 6%2 FGUVKPCVKQP RQTVKUCNNQYGFKPDQWPFHQT820/CUVGT5NCXGEQOOWPKECVKQPU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 56
Chapter 2 - The Basics
November 30, 2001
Figure 2-17 - FILTCFG - Default Filter Exception Allowing VPN Client Authentication to the Public IP Address
6JGFGHCWNVHKNVGTGZEGRVKQPUJQYPKP(KIWTGKUWUGFVQCNNQYC 820 ENKGPV VQ CWVJGPVKECVG VQ VJG $QTFGT/CPCIGT 820 UGTXGT WUKPI 6%2FGUVKPCVKQPRQTV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 57
Chapter 2 - The Basics
November 30, 2001
Figure 2-18 - FILTCFG - Default Filter Exception Allowing VPN Client Keep-Alive Traffic to the Public IP Address
6JGFGHCWNVHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUC820ENKGPV VQ UGPF RGTKQFKE MGGRCNKXG RCEMGVU VQ VJG 820 UGTXGT WUKPI 7&2 FGUVKPCVKQP RQTV UQ VJCV VJG 820 UGTXGT TGCNK\GU VJCV VJG 820 ENKGPVKUUVKNNEQPPGEVGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 58
Chapter 2 - The Basics
November 30, 2001
Figure 2-19 - FILTCFG - Default Filter Exception Allowing SKIP Protocol to the Public IP Address
6JG FGHCWNV HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU VJG 820 5-+2RTQVQEQNKPDQWPFVQVJG$QTFGT/CPCIGT820UGTXGTRWDNKE+2 CFFTGUU 0QVGSKIP is neither TCP nor UDP, but simply another protocol with protocol ID 57. The protocol ID is a field in the IP header of a packet, and unlike TCP (which has protocol ID 6) or UDP (which has protocol ID 17), SKIP has protocol ID 57 which identifies it for a packet filtering router.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 59
Chapter 2 - The Basics
November 30, 2001
Figure 2-20 - FILTCFG - Default Filter Exception Allowing Reverse Proxy HTTP Traffic to the Public IP Address
6JG FGHCWNV HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU 6%2 FGUVKPCVKQPRQTV *662VTCHHKEVQHNQYHTQOVJGRWDNKEKPVGTHCEGVQ VJG $QTFGT/CPCIGT RWDNKE +2 CFFTGUU KP QTFGT HQT C TGXGTUG *662 2TQZ[VQHWPEVKQP;QWYKNNPQVJCXGCTGXGTUG*6622TQZ[UGVWRD[ FGHCWNVDWVVJKUGZEGRVKQPCNNQYU[QWVQEQPHKIWTGQPGQPVJGRWDNKE +2CFFTGUUYKVJQWVJCXKPIVQCFFCHKNVGTGZEGRVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 60
Chapter 2 - The Basics
November 30, 2001
Figure 2-21 - FILTCFG - Default Filter Exception Allowing HTTPS (SSL) Traffic to the Public IP Address
6JG FGHCWNV HKNVGT GZEGRVKQP UJQY KP (KIWTG CNNQYU 6%2 FGUVKPCVKQP RQTV *662555. HTQO VJG RWDNKE KPVGTHCEG VQ VJG $QTFGT/CPCIGT RWDNKE +2 CFFTGUU VQ CNNQY RTQZ[ CWVJGPVKECVKQP VQ HWPEVKQP HQT C TGXGTUG RTQZ[ +V CNUQ CNNQYU CP[ QVJGT KPDQWPF 55.*6625 VTCHHKE VQ VJG RWDNKE +2 CFFTGUU ;QW FQ PQV JCXG C TGXGTUG*662RTQZ[EQPHKIWTGFD[FGHCWNVDWVKH[QWUJQWNFCFFQPG QPVJGRWDNKE+2CFFTGUUCPFTGSWKTGRTQZ[CWVJGPVKECVKQPQPKVVJKU HKNVGTGZEGRVKQPYKNNCNNQYKVVQYQTMYKVJQWV[QWJCXKPIVQFQOQTG YQTM
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 61
Chapter 2 - The Basics
November 30, 2001
Security Considerations 6JKUDQQMUJQYUJQYVQUGVWRURGEKHKEHKNVGTGZEGRVKQPUHQTXCTKQWU UQHVYCTG RTQITCOU VQ QRGTCVG KP GKVJGT CP QWVDQWPF QT CP KPDQWPF FKTGEVKQP6JKUDQQMFQGUPQVFGNXGFGGRN[KPVQVJGUGEWTKV[CURGEVUQH UGVVKPIWRVJGUGGZEGRVKQPU+PIGPGTCNVJGOQTGGZEGRVKQPUVJCVCTG CNNQYGF RCTVKEWNCTN[ KPDQWPF VJG OQTG TKUM QPG OWUV CUUWOG HQT C DTGCMKPQTCFGPKCNQHUGTXKEGCVVCEM2CEMGVHKNVGTUECPDGGHHGEVKXGKP UVQRRKPI OCP[ CVVGORVU CV EQORTQOKUKPI VJG UGEWTKV[ QH C PGVYQTM DWV VJG[ OC[ PQV UVQR CNN CVVCEMU 7UG QH VJG $QTFGT/CPCIGT RTQZ[ UGTXKEGUKUOQTGUGEWTGVJCPWUKPIRCEMGVHKNVGTGZEGRVKQPUVQ FQVJG UCOG HWPEVKQP *QYGXGT UVCVGHWN HKNVGT GZEGRVKQPU HQT QWVDQWPF VTCHHKE CXCKNCDNG KP $QTFGT/CPCIGT CPF NCVGT XGTUKQPU CTG XGT[ UGEWTGCPFUJQWNFPQVDGECWUGHQTOCLQTYQTT[ +V KU CNYC[U C IQQF KFGC HQT VJG PGVYQTM CFOKPKUVTCVQT VQ OQPKVQT +PVGTPGVUKVGUTGNCVGFVQEQORWVGTUGEWTKV[CPFMGGRCENQUGG[GQPVJG 0QXGNN/KPKOWO2CVEJNKUVHQTDWIHKZGU5QOGUKVGUQHKPVGTGUVCTG http://www.cert.org/, http://www.nessus.org/ http://www.iss.net/ http://www.rootshell.org/ http://www.icsa.net/ 6JGFGHCWNVHKNVGTUCRRNKGFVQ$QTFGT/CPCIGTD[VJG$4&%()0./ RTQITCOFQPQVTGUVTKEV+2RCEMGVUHTQODGKPIUGPVQWVHTQOVJGRWDNKE KPVGTHCEG6JCVKUKHVJGUGTXGTKVUGNHIGPGTCVGUQWVIQKPIVTCHHKEQPVJG RWDNKE KPVGTHCEG KV YKNN DG UGPV QWV (QT 0GV9CTG VJKU KPENWFGU 5.2OWNVKECUVU6JGOQUVUGEWTKV[EQPUEKQWUCFOKPKUVTCVQTOC[YCPV VQ EQPUKFGT FGNGVKPI VJG FGHCWNV HKNVGT GZEGRVKQPU CPF OCPWCNN[ KORNGOGPVKPI GZEGRVKQPU CNNQYKPI QPN[ URGEKHKE QWVDQWPF VTCHHKE CU PGGFGF 5GG VJG EJCRVGT QP CFXCPEGF VQRKEU 6JKU FQGU PQV OGCP VJCVKPDQWPF+2VTCHHKEKUCNNQYGFQPN[VJCVKPUQOGECUGU0GV9CTG OC[ DG CFXGTVKUKPI KVU RTGUGPEG WPPGEGUUCTKN[ QP VJG RWDNKE .#0 UKFG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 62
Chapter 2 - The Basics
November 30, 2001
CAUTION DISCLAIMER! The author has written this book with the best of intentions and has done testing and proofreading to find typographical errors. The filter exceptions given in this book should be workable, with minimal security impact, given the technology available in the version of BorderManager used. However, there are no guarantees that a filter exception or setting shown here does not provide some means for an intrusion or denial of service attack. On the contrary, each filter exception used may decrease the security of a network. You must make a tradeoff between functionality and security. You are warned to use caution, common sense and firewall analysis techniques and tools to secure your network. This book is provided 'as-is'. The author is not responsible for any losses, network intrusions, or other problems resulting from using the advice or examples in this book, whether such problems are caused by typographical errors, or mistakes on the part of the author. In short - check your work carefully, and do not rely 100% on this book!
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 63
Chapter 3 - NetWare Tools Used in Filtering
November 30, 2001
Chapter 3 - NetWare Tools Used in Filtering 6JGTGCTGUGXGTCN0./ UVJCVUJKRYKVJ0GV9CTGVJCVCTGEQOOQPN[ WUGFKPJGNRKPI[QWVQUGVWRHKNVGTUQTHKNVGTGZEGRVKQPU5QOGUKORN[ CNNQY [QW VQ UGG YJCV KU JCRRGPKPI YJKNG QVJGTU JGNR [QW VQ OCMG EJCPIGUVQVJGEQPHKIWTCVKQP6JGHQNNQYKPIWVKNKVKGUCTGXGT[WUGHWNQT GUUGPVKCNVQYQTMKPIYKVJ$QTFGT/CPCIGTRCEMGVHKNVGTKPI
BRDCFG.NLM 9JGP[QWHKTUVUGVWR$QTFGT/CPCIGT[QWCTGCUMGFCVQPGRQKPVKH [QWYCPVVQUGVWRVJGFGHCWNVHKNVGTUVQDNQEMCNNVTCHHKEVQVJGRWDNKE +2CFFTGUU6JKUKUGUUGPVKCNVQUGVWR$QTFGT/CPCIGTCUCUGEWTG HKTGYCNN+H[QWGXGTPGGFVQCFFVJGFGHCWNVHKNVGTUCICKPLWUV.1#& $4&%()CVVJGHKNGUGTXGTEQPUQNGCPFHQNNQYVJGRTQORVU6QTGUGV [QWT UGTXGT VQ JCXG 10.; VJG FGHCWNV HKNVGTU [QW UJQWNF WUG (+.6%()VQFGNGVGGXGT[HKNVGTCPFHKNVGTGZEGRVKQPGPVGTGFCPFVJGP TWP$4&%()CUKVYKNNPQVFGNGVGGZEGRVKQPUCNTGCF[RTGUGPV
CAUTION If you accidentally apply the default filters to the private (internal) IP address, you must manually delete the filters and filter exceptions that are configured or BorderManager will not function. Running the BRDCFG program will not remove those filters, and all your traffic will be blocked.
CONFIG (Not CONFIG.NLM) 6[RKPI %10(+) CV VJG UGTXGT EQPUQNG YKNN UJQY VJG EQPHKIWTGF .#0KPVGTHCEGUCPFCFFTGUUGU CPFFGHCWNVTQWVG+VKUCSWKEMYC[VQ UGG YJCV KU UGV WR QP VJG UGTXGT +V FQGU PQV UJQY UGEQPFCT[ +2 CFFTGUUGU QT CFFKVKQPCN PQPUGEQPFCT[ +2 CFFTGUUGU DQWPF VQ CP KPVGTHCEG 6[RKPI .1#& %10(+) QT .1#& %10(+) 5 CV VJG EQPUQNG RTQFWEGU C 5;55;56'/%10(+)6:6 HKNG VJCV JGNRU VQ FQEWOGPV[QWTUGTXGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 64
Chapter 3 - NetWare Tools Used in Filtering
November 30, 2001
CONLOG.NLM %10.1)KUWUGFVQECRVWTGCNNVTCHHKEQPVJGUGTXGTEQPUQNGVQCVGZV HKNG.1#&%10.1)UVCTVUUCXKPIFCVCVQCHKNGKP5;5'6%ECNNGF %1051.'.1)7PNQCFKPI%10.1)UVQRUVJGECRVWTGCPFCNNQYU [QW VQ XKGYGFKV VJG VGZV HKNG %1051.'.1) KU XGT[ WUGHWN KP EQPLWPEVKQPYKVJ5'66%2+2&'$7)VQECRVWTG+2RCEMGVUYJGP [QWCTGVGUVKPIHKNVGTGZEGRVKQPU
FILTCFG.NLM 6Q XKGY GZRQTV QT EQPHKIWTG HKNVGTU CPF GZEGRVKQPU V[RG .1#& (+.6%()CVVJGUGTXGTEQPUQNG 0QVGThe filters and filter exceptions are stored in the SYS:ETC\FILTERS.CFG file. If you want to experiment with creating new filter exceptions, it is a good idea to make a backup copy of this file first. The filters are also saved in server memory, until a server reboot, and creating a new filter exception will bring back the old filter definitions if you accidentally delete the filters.cfg file.
(+.6%()0./ WVKNKV[ JCU C HGCVWTG ECNNGF %QPHKIWTG +PVGTHCEG 1RVKQPUVJCVCNNQYU[QWVQFGHKPGQPGQHVJGKPVGTHCEGUCURWDNKECPF CPQVJGTCURTKXCVG1PEG[QWFQVJKUVJGYQTFU RWDNKECPF RTKXCVG CTG CFFGF VQ VJG PGVYQTM KPVGTHCEG PCOGU YJGP CRRN[KPI HKNVGTU VQ JGNR[QWTGOGODGTYJKEJKPVGTHCEGKUYJKEJ +HVJGKPVGTHCEGPCOGUCTGKPEQTTGEVUGNGEVCPKPVGTHCEGCPFRTGUUVJG 6CDMG[VQVQIINGVJGVKVNGŎ2WDNKEŏQTŎ2TKXCVGŏCUPGGFGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 65
Chapter 3 - NetWare Tools Used in Filtering
November 30, 2001
Figure 3-1 - FILTCFG - Configure Interface Options
6JG UETGGPUJQV KP (KIWTG UJQYU (+.6%()0./ QP C $QTFGT/CPCIGT UGTXGT DGKPI WUGF VQ EQPXGPKGPVN[ FGHKPG KPVGTHCEGUCU2WDNKEQT2TKXCVGUQVJCVVJG[CTGOQTGGCUKN[KFGPVKHKGF YJGP UGVVKPI WR HKNVGTU CPF HKNVGT GZEGRVKQPU 'XGP DGVVGT KU VQ PCOG VJGKPVGTHCEGUCU27$.+%CPF24+8#6'YJGPUGVVKPIWRVJGUGTXGT
IPFLT.NLM / IPFLT31.NLM +2(.60./KUVJGOQFWNGWUGFVQRGTHQTO+2RCEMGVHKNVGTKPI+VKU CWVQOCVKECNN[ NQCFGF D[ +2(.60./ KH HKNVGTKPI KU GPCDNGF KP +0'6%()HQT+2+H[QWYKUJVQUGGKOOGFKCVGN[KHCEQOOWPKECVKQP RTQDNGOKUDGKPIECWUGFD[+2HKNVGTKPIV[RG70.1#&+2(.6CVVJG UGTXGT EQPUQNG VQ FKUCDNG CNN +2 RCEMGV HKNVGTKPI +H EQOOWPKECVKQPU UVCTV YQTMKPI VJGP [QW JCXG C HKNVGTKPI KUUWG KH PQV Ō [QW JCXG CV NGCUV UQOG QVJGT KUUWG CPF OC[ UVKNN JCXG C HKNVGTKPI KUUWG CU YGNN 7PNQCFKPI +2(.6 QRGPU WR [QWT $QTFGT/CPCIGT UGTXGT EQORNGVGN[VQJCEMKPIUQFQVJKUQPN[CUCSWKEMVGUV#HVGTVGUVKPI TGOGODGTVQ.1#&+2(.6CICKP
SET TCP IP DEBUG=1 6Q XKGY CNN +2 RCEMGVU JKVVKPI VJG UGTXGT V[RG 5'6 6%2 +2 &'$7)CVVJGUGTXGTEQPUQNG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 66
Chapter 3 - NetWare Tools Used in Filtering
November 30, 2001
6QUVQRXKGYKPICNN+2RCEMGVUV[RG5'66%2+2&'$7)CVVJG UGTXGTEQPUQNG
SET FILTER DEBUG=ON 6JKUEQOOCPFYJKEJYQTMUCVVJGUGTXGTEQPUQNGQP$QTFGT/CPCIGT Z DTKPIU WR C OGPW QH XCTKQWU 6%2 HKNVGT FGDWIIKPI EQOOCPFU YJKEJ ECP VJGP DG WUGF VQ UGG C OWEJ OQTG URGEKHKE FKURNC[ QH HKNVGTKPICEVKXKV[VJCPVJG5'66%2+2&'$7)EQOOCPF1PVJG QVJGTJCPF[QWFQP VUGGCNNVJGQVJGTVJKPIUIQKPIQPYKVJ+2RCEMGVU VJCVVJG6%2+2&'$7)EQOOCPFECPUJQY+VKUOQUVWUGHWNYJGP VT[KPI VQ UGG URGEKHKE HKNVGT FKUECTFU QP C RTQFWEVKQP UGTXGT YJGTG VJGTG KU UQ OWEJ VTCHHKE \QQOKPI D[ VJCV [QW ECPPQV GCUKN[ HKPF VJG RCEMGVU QH KPVGTGUV KH WUKPI 6%2 +2 &'$7) 7UG 5'6 (+.6'4 &'$7)1((VQFKUCDNGVJGHKNVGTFGDWIHWPEVKQP5GG(KIWTGKP VJGPGZVEJCRVGTHQTCPGZCORNGQHVJGHKNVGTFGDWIQWVRWV
TCPCON.NLM 9JKNG PQV CEVWCNN[ C HKNVGTKPI VQQN VJKU WVKNKV[ FQGU NGV [QW XKGY +2 TQWVKPI KPHQTOCVKQP 2TQDNGOU VJQWIJV VQ DG HKNVGTTGNCVGF QHVGP GPF WRDGKPITQWVKPIKUUWGUUWEJCUNCEMKPICRTQRGTFGHCWNVTQWVG6[RG .1#&6%2%10CVVJGHKNGUGTXGTEQPUQNGVQUVCTVVJKUWVKNKV[ 5QOGWUGHWNHGCVWTGUQH6%2%10 • • •
8KGYVJGEWTTGPVTQWVKPIVCDNG 5GG YJCV RQTVU QP VJG UGTXGT CTG ŎQRGPŏ 5QOG UGTXKEG KU NKUVGPKPI QP VJG RQTV .QQM KP 2TQVQEQN +PHQTOCVKQP 6%2 6%2%QPPGEVKQPU5KOKNCTHQT7&2 8KGY VJG #42 VCDNG .QQM KP 2TQVQEQN +PHQTOCVKQP +2 +2 #FFTGUU6TCPUNCVKQPU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 67
Chapter 4 - Working with Filters
November 30, 2001
Chapter 4 - Working with Filters 6JKU DQQM YQWNF DG HCT NGUU WUGHWN YKVJQWV TGCNYQTNF GZCORNGU VQ XKGY 6JG DWNM QH VJG TGOCKPFGT QH VJKU DQQM RTQXKFGU XCTKQWU GZCORNGUVJCVECPDGWUGFGCUKN[D[CP[QPGYKVJQPN[CPCFFTGUUQT KPVGTHCEGEJCPIG
Backing Up and Restoring Filters and Exceptions #NNHKNVGTUCTGUVQTGFKPVJG5;5'6%>(+.6'45%()HKNG#NNEWUVQO GZEGRVKQPU CTG CNUQ UVQTGF KP VJCV HKNG *QYGXGT VJG FGHKPKVKQPU HQT VJG DWKNVKP HKNVGT GZEGRVKQPU UWRRNKGF D[ 0GV9CTG CTG UVQTGF KP VJG 5;5'6%>$7+.6+05%()HKNG9KVJTCTGGZEGRVKQPQPGQHYJKEJKU UJQYP KP VJG #FXCPEGF EJCRVGT [QW YKNN PQV PGGF VQ OQFKH[ VJG $7+.6+05%() HKNG *QYGXGT KV KU UCHGUV VQ VTGCV DQVJ VJG (+.6'45%()CPF$7+.6+05%()HKNGUCUCOCVEJGFRCKT $GHQTG OCMKPI EJCPIGU VQ VJG HKNVGTU QT HKNVGT GZEGRVKQPU OCMG C DCEMWREQR[QHVJG(+.6'45%()CPF$7+.6+05%()HKNG5JQWNF [QW PGGF VQ RWV VJQUG HKNVGTU CPF GZEGRVKQPU DCEM KP RNCEG WUG VJG HQNNQYKPIRTQEGFWTG 70.1#&+2(.6 FKUCDNGU+2RCEMGVHKNVGTKPI %QR[ DCEM VJG (+.6'45%() CPF $7+.6+05%() HKNGU VQ 5;5'6% 4'+0+6+#.+<' 5;56'/ CUUWOKPI [QW JCXG HKNVGTKPI GPCDNGF KP+0'6%()
Viewing Filters in Action (TCP IP DEBUG) *GTG KU CP GZCORNG QH UQOG HKNVGTKPI DGKPI CRRNKGF VQ RCEMGVU CV C $QTFGT/CPCIGT UGTXGT 6JG FCVC YCU XKGYGF WUKPI 5'6 6%2 +2 &'$7)CPFECRVWTGFWUKPI%10.1)0./
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 68
Chapter 4 - Working with Filters
November 30, 2001
LOCAL:pktid:39517 4.3.2.100->4.3.2.255 ttl:128 (UDP) UDP:Source Port:137(NETBIOS-NS) Destination Port:137(NETBIOS-NS) Discard Incoming: cause(FILTERING), reason(5)
0QVGSee Novell TID 2953403 for some explanation of the reason codes for filtering in the TCP IP DEBUG trace. Reason 5 simply means the data was discarded due to a filter.
6JG CDQXG GZCORNG UJQYU C NQECN DTQCFECUV HTQO C 2% YKVJ C JQUV CFFTGUU QH KU VJG DTQCFECUV CFFTGUU HQT VJCV UWDPGV 6JG UQWTEG CPF FGUVKPCVKQP RQTVU CTG CPF VJG V[RG QH RCEMGVKUC0'6$+15PCOGUGCTEJTGSWGUVTGUWNVKPIHTQOJCXKPIVJG /KETQUQHV%NKGPVHQT/KETQUQHV0GVYQTMUKPUVCNNGFQPVJG2%YKVJQWV KVWUKPI9+05VQNQECVGUGTXKEGU6JGRCEMGVYCUHKNVGTGFCUKVECOG KPVQ VJG RWDNKE KPVGTHCEG QP VJG $QTFGT/CPCIGT UGTXGT Ŏ&KUECTF +PEQOKPIŏ
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 69
Chapter 4 - Working with Filters
November 30, 2001
TCP DEBUG PING & DNS Example (QNNQYKPI CTG UQOG 6%2 +2 &'$7) VTCEGU ECRVWTGF YKVJ %10.1)0./ UJQYKPI YJCV JCRRGPU YKVJ FGHCWNV HKNVGTU GPCDNGF YJGP VT[KPI VQ RKPI 999018'..%1/ 6JKU EQPHKIWTCVKQP KPXQNXGFWUKPIF[PCOKE0#6QP$QTFGT/CPCIGTCPFPQRTQZKGU6JG YQTMUVCVKQPCVYCUEQPHKIWTGFYKVJCFGHCWNVICVGYC[ RQKPVKPIVQVJG$QTFGT/CPCIGTRTKXCVG+2CFFTGUUCPFC&05UGTXGT GPVT[QH RECEIVE:pktid:162 192.168.10.114->199.182.120.203 ttl:128 (UDP) UDP:Source Port:1034 Destination Port:53(DOMAIN) Discard Outgoing: cause(FILTERING), reason(1)
6JG HKTUV VJKPI VJCV JCRRGPGF YCU VJCV 2+0) PGGFGF VQ TGUQNXG 999018'..%1/ VQ CP +2 CFFTGUU CPF KV HCKNGF DGECWUG VJG FGHCWNV HKNVGTU FQPŏV CNNQY &05 TGSWGUVU VJTQWIJ 6JG &05 RCEMGVU
7&2 RQTV YGTG FTQRRGF CU VJG[ NGHV VJG $QTFGT/CPCIGT UGTXGT
&KUECTF1WVIQKPI (+.6%() YCU NQCFGF CPF C UVCVGHWN HKNVGT GZEGRVKQP HQT &05 QXGT 7&2YCUEQPHKIWTGFCPFCRRNKGF6JGVGUVYCUVJGPTGRGCVGF KPVJKU ECUGWUKPIVYQ&05UGTXGTGPVTKGUŌCPF
RECEIVE:pktid:192 192.168.10.114->199.182.120.203 ttl:128 (UDP) UDP:Source Port:1039Destination Port:53(DOMAIN) FORWARD:pktid:192 4.3.2.254->199.182.120.203 ttl:127 (UDP) UDP:Source Port:59878Destination Port:53(DOMAIN) RECEIVE:pktid:193 192.168.10.114->4.3.4.1 ttl:128 (UDP) UDP:Source Port:1040Destination Port:53(DOMAIN) FORWARD:pktid:193 4.3.2.254->4.3.4.1 ttl:127 (UDP) UDP:Source Port:59877Destination Port:53(DOMAIN) RECEIVE:pktid:19565 4.3.4.1->4.3.2.254 ttl:126 (UDP) UDP:Source Port:53(DOMAIN) Destination Port:59877 FORWARD:pktid:19565 4.3.4.1->192.168.10.114 ttl:125 (UDP) UDP:Source Port:53(DOMAIN) Destination Port:1040
6JG &05 UGTXGT CV TGURQPFGF DGHQTG VJG QPG CV FKF CPF VJG &05 KPHQTOCVKQP YCU RCUUGF DCEM VQ VJG2%CV0QYVJG2%MPQYUVJCVVJG+2CFFTGUUQH 999018'..%1/KUCPFKVDGIKPUVQRKPIKV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 70
Chapter 4 - Working with Filters
November 30, 2001
RECEIVE:pktid:194 192.168.10.114->137.65.2.11 ttl:32 (ICMP)Echo Request Discard Outgoing: cause(FILTERING), reason(1) RECEIVE:pktid:196 192.168.10.114->137.65.2.11 ttl:32 (ICMP)Echo Request Discard Outgoing: cause(FILTERING), reason(1) RECEIVE:pktid:197 192.168.10.114->137.65.2.11 ttl:32 (ICMP)Echo Request Discard Outgoing: cause(FILTERING), reason(1) RECEIVE:pktid:198 192.168.10.114->137.65.2.11 ttl:32 (ICMP)Echo Request Discard Outgoing: cause(FILTERING), reason(1)
+%/2 2+0)RCEMGVUPQYIQVQVJG$QTFGT/CPCIGTUGTXGTDWVVJG[ CTGHKNVGTGFQPVJGYC[QWVQHVJGRTKXCVGKPVGTHCEGDGECWUGVJGTGKUPQ HKNVGTGZEGRVKQPHQT+%/2RCEMGVUYKVJVJGFGHCWNVHKNVGTUKPRNCEG 0GZV C HKNVGT GZEGRVKQP YCU UGV WR VQ CNNQY +%/2 VJTQWIJ CPF VJG VGUV YCU TGRGCVGF /WNVKRNG 2+0) RCEMGVU YGTG UGPV VQ C JQUV CV 1PN[UQOGQHVJGVTCHHKEKUUJQYP RECEIVE:pktid:296 192.168.10.114->4.3.2.1 ttl:32 (ICMP)Echo Request FORWARD:pktid:296 4.3.2.254->4.3.2.1 ttl:31 (ICMP)Echo Request RECEIVE:pktid:296 4.3.2.1->4.3.2.254 ttl:255 (ICMP)Echo Reply FORWARD:pktid:296 4.3.2.1->192.168.10.114 ttl:254 (ICMP)Echo Reply
#HVGT CFFKPI C HKNVGT GZEGRVKQP HQT +%/2 VJG 2+0) VTCHHKE NQQMU PQTOCN6JG2%CVUGPFUCP+%/2RCEMGVVQ &[PCOKE 0#6 TGIGPGTCVGU VJG RCEMGV CU EQOKPI HTQO KVU RWDNKE +2 CFFTGUU CPF UGPFU KV QP 6JG JQUV CV TGURQPFU CPF UGPFUCTGRN[VQCPFF[PCOKE0#6TGVWTPUVJCVTGURQPUGVQ VJGQTKIKPCNTGSWGUVGTD[TGIGPGTCVKPIVJGRCEMGVYKVJVJGFGUVKPCVKQP CFFTGUUQH
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 71
Chapter 4 - Working with Filters
November 30, 2001
Browsing Example – No Proxy Configured *GTGKUCPGZCORNGQHYJCVVJGFGHCWNVHKNVGTUFQYJGPUQOGQPGVTKGU VQDTQYUGVJG+PVGTPGVYKVJQWVWUKPIVJG*6622TQZ[6JG 0GVUECRG DTQYUGT CV JQUV YCU EQPHKIWTGF HQT C ő&KTGEV EQPPGEVKQPVQ+PVGTPGVŒ PQRTQZ[CUUJQYPKP(KIWTG
Figure 4-1 - Netscape Configured Without Proxy settings
6JGUCOGQWVRWVEQWNFJCXGDGGPIGPGTCVGFWUKPICP[QVJGTDTQYUGT UGVHQTFKTGEVEQPPGEVKQPVQVJG+PVGTPGVCUNQPICU6TCPURCTGPV2TQZ[ YCUFKUCDNGFQPVJG$QTFGT/CPCIGTUGTXGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 72
Chapter 4 - Working with Filters
November 30, 2001
FORWARD:pktid:247 4.3.2.254->4.3.4.1 ttl:127 (UDP) UDP:Source Port:59873Destination Port:53(DOMAIN) RECEIVE:pktid:24136 4.3.4.1->4.3.2.254 ttl:126 (UDP) UDP:Source Port:53(DOMAIN) Destination Port:59873 FORWARD:pktid:24136 4.3.4.1->192.168.10.114 ttl:125 (UDP) UDP:Source Port:53(DOMAIN) Destination Port:1049 RECEIVE:pktid:248 192.168.10.114->137.65.2.118 ttl:128 (TCP) TCP:SYN Source Port:1050, Dest Port:80 Sequence No.:3202996 Ack No:0 Window:8192 UrgPtr:0 Discard Outgoing: cause(FILTERING), reason(1)
6JG&05GZEGRVKQPUGVWRGCTNKGTCNNQY999018'..%1/VQDG TGUQNXGFVQCP+2CFFTGUUDWVVJGPVJGDTQYUGTVKOGUQWVDGECWUGVJG FGHCWNVHKNVGTUDNQEM*662 RQTV6JGFGHCWNVHKNVGTUFQPQVCNNQY VTCHHKEVQCWVQOCVKECNN[IQHTQOVJGRTKXCVG+2CFFTGUUVQVJGRWDNKE+2 CFFTGUU 6JG*6622TQZ[YQTMUFKHHGTGPVN[D[TGIGPGTCVKPIKVU*662RQTV VTCHHKEFKTGEVN[QPVQVJGRWDNKE+2CFFTGUUYJGTGKVKUCNNQYGFQWVD[ VJGFGHCWNVHKNVGTGZEGRVKQPU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 73
Chapter 4 - Working with Filters
November 30, 2001
Browsing Example – Proxy Configured, Default Filter Exceptions +P VJKU GZCORNG VJG RTQZ[ KU EQPHKIWTGF VQ WUG VJG *662 2TQZ[ KPUVGCFQHVT[KPIVQD[RCUUKV
Figure 4-2 - Netscape Configured to Use HTTP Proxy
6JGUETGGPUJQVUJQYPKP(KIWTGUJQYUVJGDTQYUGTRTQZ[UGVVKPIU WUGFHQTVJGHQNNQYKPIVTCEG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 74
Chapter 4 - Working with Filters
November 30, 2001
RECEIVE:pktid:254 192.168.10.114->192.168.10.252 ttl:128 (TCP) TCP:ACK Source Port:1046, Dest Port:8080 Sequence No.:3185555 Ack No:2873913276 Window:8208 UrgPtr:0 LOCAL:pktid:254 192.168.10.114->192.168.10.252 ttl:128 (TCP) TCP:ACK Source Port:1046, Dest Port:8080 Sequence No.:3185555 Ack No:2873913276 Window:8208 UrgPtr:0
UQOGVGZVFGNGVGF RECEIVE:pktid:9490 137.65.2.118->4.3.2.254 ttl:114 (TCP) TCP:ACK Source Port:80, Dest Port:2422 Sequence No.:727352340 Ack No:2878541653 Window:64494 UrgPtr:0 LOCAL:pktid:9490 137.65.2.118->4.3.2.254 ttl:114 (TCP) TCP:ACK Source Port:80, Dest Port:2422 Sequence No.:727352340 Ack No:2878541653 Window:64494 UrgPtr:0
6JG DTQYUGT OCMGU TGSWGUVU VQ VJG *662 2TQZ[ CV WUKPI RQTV 6JG *662 2TQZ[ TGIGPGTCVGU VJG TGSWGUVU QP KVU RWDNKE +2 CFFTGUU QH CPF TGEGKXGU TGURQPUGU QP VJCV RQTV 'XGPVWCNN[KVDWKNFUWRCEQORNGVGŎPQFGŏ *662GPVKV[KPKVUECEJG CPF VJGP UGPFU CNN VJCV FCVC DCEM VQ VJG DTQYUGT QP RQTV PQV UJQYP #NVGTPCVKXGN[ VJG FCVC KU PQV TGVTKGXGF HTQO VJG QTKIKP JQUV CPFKUKPUVGCFTGVTKGXGFHTQOECEJG 0QVKEGKPVJGGZCORNGCDQXGJQYVJGTGKUPQTQWVKPIQHRQTVVQ VJG +PVGTPGV 6TCHHKE DGVYGGP VJG QTKIKPCVKPI 2% KU WUKPI RQTV DWVVJG*6622TQZ[WUGUUVCPFCTF*662RQTVYJGPKVVCNMUVQVJG YGDUGTXGTCV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 75
Chapter 4 - Working with Filters
November 30, 2001
Filter Debug - An Alternative to TCP IP DEBUG +H[QWJCXGGXGTWUGF5'66%2+2&'$7)QPCRTQFWEVKQPUGTXGT YKVJCNQVQHVTCHHKEETQUUKPIKV[QWMPQYJQYOWEJKPHQTOCVKQPECP HN[ D[ KP C HGY UGEQPFU QDUEWTKPI VJG RCEMGV QT VYQ QH KPVGTGUV VQ [QW6JGTGKUCYC[VQXKGYKPFKXKFWCNRCEMGVUDGKPIHKNVGTGFCUVJG[ QEEWT YKVJQWV UGGKPI CNN VJG PQPHKNVGTGF VTCHHKE 7UG VJG HQNNQYKPI EQOOCPFVQGPCDNGVJGHKNVGTFGDWIQRVKQPUCPFEJQQUGVJGQRVKQPQH KPVGTGUV #U YKVJ CP[ FGDWI QRVKQP VJKU QRVKQP UJQWNF PQV DG NGHV GPCDNGFQPCRTQFWEVKQPUGTXGT
5'6(+.6'4&'$7)10
0QVGAt the time this book was written, this setting only worked with servers running BorderManager 3.0 or later. The Filter Debug setting is a feature of the IPFLT31.NLM filtering module, and therefore filtering must be enabled to use the command.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 76
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-3 - SET FILTER DEBUG=ON
6JKU EQOOCPF UJQWNFDTKPI WR CNKUV QH QRVKQPU CU UJQYP KP (KIWTG 'PCDNG VJG QRVKQP QH KPVGTGUV YKVJ VJG EQOOCPF UJQYP 9KVJ VJGUG EQOOCPFU [QW ECP JCXG OQTG EQPVTQN QXGT FGDWI VTCHHKE TGRQTVGF + RGTUQPCNN[ HQWPF VJG 5'6 6%2 &+5%#4& (+.6'4 &'$7)VQDGVJGOQUVWUGHWNQHVJGQRVKQPUVJQWIJQEECUKQPCNN[ KVKUWUGHWNVQWUGVJG+%/2FKUECTFQTHQTYCTFQRVKQP ;QWECPVWTPUGXGTCNQRVKQPUQPCVVJGUCOGVKOG 6JGXCNWGQHVJG(+.6'4&'$7)QWVRWVKUVJCV[QWJCXGCEJCPEGQH EQPEGPVTCVKPI QP C RCTVKEWNCT V[RG QH FKUECTF YJKNG DGKPI CDNG VQ KIPQTGCNNVJGTGUVQHVJGVTCHHKEHNQYKPIVJTQWIJCDWU[UGTXGT6JKU XCNWG KU CNUQ C RQVGPVKCN RTQDNGO Ō [QW ECP OKUU QVJGT VTCHHKE VJCV OKIJVDGWUGHWNHQTVTQWDNGUJQQVKPI5VKNNKH[QWOWUVFGDWI CPGY HKNVGTGZEGRVKQPFWTKPIRTQFWEVKQPJQWTUQPCDWU[UGTXGTVJKUQRVKQP OC[DGVJGQPN[TGCUQPCDNGYC[VQUGGYJCVVJGHKNVGTUCTGUVQRRKPI $GUWTGVQFKUCDNGVJGEQOOCPFYJGPFQPGWUKPIVJG5'6(+.6'4 &'$7)1((EQOOCPF 5QOG GZRGTKOGPVCVKQP YKNN DG PGEGUUCT[ VQ WPFGTUVCPF VJG (KNVGT &GDWIQRVKQPU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 77
Chapter 4 - Working with Filters
November 30, 2001
Filter Debug Example Output 6JG HQNNQYKPI GZCORNG YCU IGPGTCVGF D[ VT[KPI VQ (62 HTQO CP KPVGTPCN JQUV VQ CP (62 UGTXGT CV YKVJQWV JCXKPI C HKNVGT GZEGRVKQPVQCNNQY(62QWVDQWPF
Figure 4-4 - FILTER DEBUG Capture Example
6JGGZCORNGUJQYPKP(KIWTGUJQYUCUKPING6%2RCEMGVDGKPI HKNVGTGFCHVGTWUKPIVJGEQOOCPFU 5'6(+.6'4&'$7)10 5'66%2&+5%#4&(+.6'4&'$7) 6JKU GZCORNG UJQYU CP (62 TGSWGUV PQVG FGUVKPCVKQP RQTV PWODGTDGKPIHKNVGTGFKPVJGQWVDQWPFFKTGEVKQP 0QVGUQWTEG+2 CFFTGUU QH KU KPUKFG VJG .#0 YJKNG FGUVKPCVKQP +2 CFFTGUU KU QWVUKFG VJG .#0 6JG UQWTEG RQTV YCU YJKEJ KU ŎTCPFQON[ŏ CUUKIPGF CU C JKIJ RQTV 6JG UQWTEG KPVGTHCEG YCU YJKEJ KU VJG RTKXCVG KPVGTHCEG CPF VJG FGUVKPCVKQP KPVGTHCEG YCU YJKEJKUVJGRWDNKEKPVGTHCEG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 78
Chapter 4 - Working with Filters
November 30, 2001
NCF Files To Use With SET FILTER DEBUG=ON + JCXG RTQXKFGF VJGUG GZCORNGU HQT [QWT WUG + VJKPM [QW YKNN HKPF VJGOWUGHWNVQECRVWTGHKNVGTFGDWIKPHQTOCVKQPCPFFKURNC[KVGCUKN[
T1.NCF (Turn On Debugging and Capture the Results) Rem This NCF file starts IP filter debugging and logs the screen results Rem to a file with CONLOG. Type in T1 to start the debug and T0 to stop it. Rem Uncomment the lines below to start the desired debug options. Unload CONLOG LOAD CONLOG MAX=100 SET FILTER DEBUG=ON SET TCP DISCARD FILTER DEBUG=1 rem SET UDP DISCARD FILTER DEBUG=1 rem SET ICMP DISCARD FILTER DEBUG=1
T0.NCF (Turn Off Debugging and Display the Results) Rem This NCF file stops IP filter debugging and displays the logged results Rem by using EDIT. Type in T1 to start the debug and T0 to stop it. Rem If you want to use CONLOG after running this NCF file, you must Rem restart it manually. (LOAD CONLOG MAX=100) Unload CONLOG SET FILTER DEBUG=Off SET TCP DISCARD FILTER DEBUG=0 SET UDP DISCARD FILTER DEBUG=0 SET ICMP DISCARD FILTER DEBUG=0 LOAD EDIT SYS:ETC\CONSOLE.LOG
$G UWTG VQ TGOGODGT VQ TGNQCF %10.1) CHVGT WUKPI VJG 60%( EQOOCPFU KH [QW PQTOCNN[ WUG %10.1) CPF YKUJ VQ EQPVKPWG EQPUQNGNQIIKPI
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 79
Chapter 4 - Working with Filters
November 30, 2001
Making a Custom Filter Exception Part 1, Starting To Make A Filter Exception 6JKUGZCORNGUJQYUJQYVQUGVWRCEWUVQOHKNVGTFGHKPKVKQP(QTVJG RWTRQUGQHVJKUDQQMVJGGZCORNGUJQYUCOGCPKPINGUUUVCVGHWN6%2 HKNVGTGZEGRVKQPDGKPIFGHKPGFHQTCNNUQWTEGRQTVUVJTQWIJ CPF FGUVKPCVKQP RQTV 6JKU GZEGRVKQP KU UKORN[ DGKPI WUGF CU CP GZCORNG QH JQY VQ ETGCVG C HKNVGT GZEGRVKQP YJGTG [QW CNUQ JCXG VQ FGHKPGCEWUVQOHKNVGTFGHKPKVKQPDGECWUGKVFQGUPŏVGZKUVKPVJGNKUVQH RTGFGHKPGFHKNVGTUUWRRNKGFD[0QXGNNYKVJ$QTFGT/CPCIGT
Figure 4-5 - FILTCFG - Main Menu
#VVJGUGTXGTEQPUQNGV[RG.1#&(+.6%() 5GNGEV%QPHKIWTG6%2+2(KNVGTU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 80
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-6 - FILTCFG - Select Packet Forwarding Filters
5GNGEV2CEMGV(QTYCTFKPI(KNVGTU
Figure 4-7 - FILTCFG - Select List of Packets Always Permitted
5GNGEV .KUV QH 2CEMGVU #NYC[U 2GTOKVVGF VQ ETGCVG C PGY HKNVGT GZEGRVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 81
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-8 - FILTCFG - Filter Exception Menu
6JG UETGGPUJQV UJQYP KP (KIWTG UJQYU VJG HKTUV QH UGXGTCN HKNVGT GZEGRVKQPU (TQO VJKU OGPW [QW ECP ETGCVG FGNGVG CPF OQFKH[ GZKUVKPIHKNVGTGZEGRVKQPUGZEGRVVJCV[QWECPPQVFKTGEVN[OQFKH[VJG FGHKPKVKQPUHQTVJGŎDWKNVKPŏFGHKPKVKQPU 2TGUUVJG+PUGTVMG[VQETGCVGCPGYHKNVGTGZEGRVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 82
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-9 - FILTCFG - Select Source Interface
5GNGEV5QWTEG+PVGTHCEGCPFEJQQUG[QWTKPVGTPCN RTKXCVGPGVYQTM KPVGTHCEGECTF 5VCVGHWNHKNVGTGZEGRVKQPUHQTQWVDQWPFVTCHHKECTGDGUV CRRNKGF HTQO VJG KPVGTPCN PGVYQTM KPVGTHCEG VQ VJG GZVGTPCN PGVYQTM KPVGTHCEG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 83
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-10 - FILTCFG - Select Destination Interface
0GZVUGNGEV&GUVKPCVKQP+PVGTHCEGCPFEJQQUG[QWTGZVGTPCN RWDNKE PGVYQTMKPVGTHCEGECTF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 84
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-11 - FILTCFG - Define Exception Packet Type
;QW UJQWNF PQY JCXG [QWT RTKXCVG CPF RWDNKE KPVGTHCEGU EQPHKIWTGF CPFCTGTGCF[VQFGHKPGVJGV[RGQHGZEGRVKQPVQCRRN[VQVJGO 0QVGThe steps for selecting source and destination interface are important for stateful Filters. What this example does is set up the filter exception to be applied to any packets coming from the private network interface card to the public network interface card. This way you don’t have to worry about IP address changes on the interfaces themselves, and the filter (in this case a filter exception) will only function in the outbound direction. Because the filter exception is to be defined as stateful, BorderManager will automatically keep track of the return traffic and allow it in, without having to set up an additional filter exception to allow Dynamic TCP or Dynamic UDP ports (essentially any port number from 1024 up) through the firewall.
5GNGEV2CEMGV6[RGCPFRTGUU'PVGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 85
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-12 - FILTCFG - Create a New Packet Type
6JGHKIWTGCDQXGUJQYUVJGRQKPVYJGTG[QWUJQWNFPQVHKPFCP[RTG FGHKPGF HKNVGT FGHKPKVKQPU OCVEJKPI [QWT TGSWKTGOGPVU CPF UQ [QW OWUVETGCVG[QWTQYPFGHKPKVKQP 0QVGYour list of packet types will probably not match the one shown in Figure 4-12. The example shown is from a test server where many custom exceptions have already been added.
+VKUCVVJKURQKPVVJCV[QWJCXGVJGEJQKEGUUGGPCVVJGDQVVQOQHVJG (+.6%()OGPWŌ5GNGEVCPGZKUVKPIRCEMGVV[RG%TGCVGCPGYQPG QT/QFKH[CPGZKUVKPIRCEMGVV[RG0QVGVJCV[QWCTGPQVCNNQYGFVQ OQFKH[ VJG RTGFGHKPGF RCEMGV V[RGU ŎDWKNVKPUŏ UWRRNKGF YKVJ $QTFGT/CPCIGT *QYGXGT [QW ECP OCPWCNN[ OQFKH[ VJG 5;5'6%>$7+.6+05%()HKNGKH[QWPGGFVQ
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 86
Chapter 4 - Working with Filters
November 30, 2001
Part 2, Defining a New Filter Definition 5VCTVKPIHTQOVJGNCUVRQKPVKP2CTVCDQXG (KIWTG[QWUJQWNF DGCVVJGNKUVQHFGHKPGF6%2+2RCEMGVV[RGUKP(+.6%()0./ 2TGUUVJG+PUGTVMG[VQCFFCPGYHKNVGTFGHKPKVKQP
Figure 4-13 - FILTCFG - Enter Packet Type Name
6JG OGPW HQT FGHKPKPI [QWT QYP HKNVGT FGHKPKVKQP EQOGU WR 5GNGEV 0COGCPFGPVGTCFGUETKRVKXGVKVNG ;QWECPGFKVVJKUPCOGNCVGT D[ TGUGNGEVKPIVJGHKNVGTFGHKPKVKQPCPFRTGUUKPI(
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 87
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-14 - FILTCFG - Enter Packet Type Protocol
#HVGT GPVGTKPI C FGUETKRVKXG PCOG HQT VJG HKNVGT FGHKPKVKQP UGNGEV 2TQVQEQNCPFRTGUU+PUGTV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 88
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-15 - FILTCFG - Select Protocol
5GNGEVVJGFGUKTGFRTQVQEQNKPVJKUECUG6%2 CPFRTGUU'PVGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 89
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-16 - FILTCFG - Enter Source Port
5GNGEV5QWTEG2QTV UCPFGPVGTQPGRQTVPWODGTQTCTCPIGQHRQTV PWODGTU +P VJKU GZCORNG CNN VJG RQTV PWODGTU DGVYGGP CPF CTGVQDGCNNQYGFCUUQWTEGRQTVUUQGPVGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 90
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-17 - FILTCFG - Enter Destination Port
#HVGT GPVGTKPI VJG UQWTEG RQTV QT RQTV TCPIG UGNGEV &GUVKPCVKQP 2QTV UCPFGPVGTCXCNWGQH
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 91
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-18 - FILTCFG - Specify Stateful Filtering
0GZV UGNGEV 5VCVGHWN (KNVGTKPI CPF VJGP UGNGEV 'PCDNGF HTQO VJG OGPWQRVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 92
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-19 - FILTCFG - Comment the New Definition
(KPCNN[ UGNGEV %QOOGPV CPF GPVGT C IQQF FGUETKRVKQP QH VJG HKNVGT FGHKPKVKQP+VOKIJVDGCIQQFKFGCVQGPVGTCFCVGCPF[QWTKPKVKCNUVQ OCMG EWUVQO HKNVGT FGHKPKVKQPU GCUKGT VQ VTCEM ;QW ECP GFKV C FGHKPKVKQPNCVGTD[UGNGEVKPIKVCPFRTGUUKPIVJG(MG[ 2TGUU'UECRGVQUCXGVJGPGYFGHKPKVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 93
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-20 - FILTCFG - Updated Packet Type List
6JGPGYFGHKPKVKQPCRRGCTUKPVJGNKUVQHCXCKNCDNGHKNVGTFGHKPKVKQPU 2TGUU 'PVGT VQ UGNGEV VJKU PGY FGHKPKVKQP VQ KPUGTV KV KPVQ [QWT HKNVGT GZEGRVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 94
Chapter 4 - Working with Filters
November 30, 2001
Part 3, Finishing the Filter Exception #HVGTETGCVKPIVJGPGYHKNVGTFGHKPKVKQPKP2CTVCDQXGRTGUUKPI'PVGT CEVWCNN[CRRNKGUKVVQVJGHKNVGTGZEGRVKQPDGKPIETGCVGF#NN [QWPGGF VQ FQ PQY KU VQ UGV UQWTEG CPF FGUVKPCVKQP +2 CFFTGUUGU CPF KH FGUKTGFCFFCWUGHWNEQOOGPVCPFUCXGVJGEJCPIGU+PVJKUGZCORNG PQUQWTEGQTFGUVKPCVKQP+2CFFTGUUKUWUGF
Figure 4-21 - FILTCFG - Add Comment for New Exception
5GNGEV %QOOGPV CPF CFF CU FGUETKRVKXG C EQOOGPV HQT VJKU HKNVGT GZEGRVKQPCURQUUKDNG6JKUKU KORQTVCPVCU[QWECPGCUKN[NQUGVTCEM QH YJCV CP GZEGRVKQP YCU KPVGPFGF VQ CEEQORNKUJ $G UWTG VQ RTGUU 'PVGTYJGPFQPGV[RKPI 0QVGUnfortunately, FILTCFG does not let you specify a range of IP addresses for source or destination IP address. If you cannot use a subnet to define a range, you need to set up individual filter exceptions for each IP address you need.
2TGUU'PVGTVQUCXGVJGEQOOGPV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 95
Chapter 4 - Working with Filters
November 30, 2001
2TGUU'UECRG
Figure 4-22 - FILTCFG - Save New Filter Option
+H [QW YCPV VQ UCXG VJKU HKNVGT GZEGRVKQP UGNGEV ;GU CV VJG 5CXG (KNVGT!2TQORV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 96
Chapter 4 - Working with Filters
November 30, 2001
Figure 4-23 - FILTCFG - New Filter Active in List of Packet Filter Exceptions
6JGPGYHKNVGTGZEGRVKQPUJQWNFCRRGCTKPVJGHKNVGTGZEGRVKQPNKUVCPF UJQWNFIQKPVQGHHGEVKOOGFKCVGN[ 0QVGIt might sometimes be necessary to reinitialize system, or possibly UNLOAD IPFLT, and then LOAD IPFLT, but this is not normally needed.
5JQWNF[QWYKUJVQOCMGEJCPIGUVQVJKUEWUVQOGZEGRVKQPUGNGEVKV UGNGEV2CEMGV6[RGCPFRTGUU(VQOQFKH[VJGFGHKPKVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 97
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Chapter 5 - Example Outbound Filter Exceptions #NNQHVJGGZCORNGUKPVJKUEJCRVGTCTGHQTEQPPGEVKQPUKPKVKCVGFD[C ENKGPVQPVJGKPVGTPCN.#06JGHKTUVRCEMGVKUUGPVHTQOVJGKPUKFGQH VJG$QTFGT/CPCIGTUGTXGTVQVJGQWVUKFGJGPEGVJGVGTOŎQWVDQWPFŏ
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 98
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
AIM (AOL Instant Messenger) / AOL #1. +PUVCPV /GUUGPIGT KU UQOGVJKPI NKMG +%3 DWV OQTG NKOKVGF KP HGCVWTGU #U [QW FQP V TGCNN[ WUG TGCNVKOG EJCV YKVJ #1. [QW FQ PQVJCXGVQUGVWRKPDQWPF6%2EQPPGEVKXKV[HQTCTCPIGQHNKUVGPKPI RQTVU #NN [QW JCXG VQ FQ KU VQ UGV WR C UVCVGHWN HKNVGT GZEGRVKQP VJCV QRGPUWR6%2RQTVCUUJQYP6JGUCOGGZEGRVKQPYKNNYQTMVQ CNNQY#1.CUYGNN
Figure 5-1 - Filter Exception for Outbound AOL / AOL Instant Messenger / ICQ
(KIWTG UJQYU C UVCVGHWN HKNVGT GZEGRVKQP VJCV YKNN CNNQY #+/ QT #1..CVGTXGTUKQPUQH+%3ECPCNUQDGEQPHKIWTGFVQWUGFGUVKPCVKQP RQTV • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
0QVGDNS must also be functional for AIM to work, whether by a DNS filter exception, internal DNS server, or DNS proxy on BorderManager.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 99
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Cisco VPN Client %KUEQJCUCHCKTN[PGY CUQHVJKUYTKVKPIXGTUKQPQHVJGKT820ENKGPV VJCV FQGU YQTM DGJKPF C 0#6 EQPPGEVKQP 1NFGT XGTUKQPU QH VJG %KUEQ820ENKGPVFQPQVYQTMVJTQWIJ0#6CPF+COPQVUWTGYJCV %KUEQEQORQPGPVUCTGTGSWKTGFVQOCMGKVYQTM ;QWOKIJVVT[CVGUV QH VJG ENKGPV YKVJ HKNVGTU FKUCDNGF Ō KH VJG ENKGPV 820 FQGUPŏV YQTM VJGPHKNVGTGZEGRVKQPUYQPŏVJGNR[QW 6JG%KUEQ820ENKGPVVJCVFQGUYQTMQXGT0#6WUGUQPN[VYQRQTVUŌ 7&2RQTVCPF7&2RQTV
Figure 5-2 - Filter Exception for Cisco VPN Client Connection, Part 1 of 2
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG KU QPG QH VYQ HKNVGT GZEGRVKQPUPGEGUUCT[VQCNNQY%KUEQŏU820ENKGPVVQYQTMVJTQWIJC F[PCOKE0#6EQPPGEVKQPDGJKPFC$QTFGT/CPCIGTHKTGYCNN
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTV &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 100
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-3 - Filter Exception for Cisco VPN Client Connection, Part 2 of 2
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG KU VJG UGEQPF QH VYQ HKNVGT GZEGRVKQPUTGSWKTGFVQCNNQYC%KUEQ820ENKGPVVQEQPPGEVVJTQWIJC F[PCOKE0#6EQPPGEVKQPDGJKPFC$QTFGT/CPCIGTHKTGYCNN
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTV &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 101
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Citrix WinFrame / MetaFrame 6JGUGHKNVGTGZEGRVKQPUYKNNCNNQYVJG%KVTKZ+%#ENKGPVVTCHHKECPFVJG %KVTKZDTQYUGTDCUGFENKGPVVTCHHKEQWVQHVJG$QTFGT/CPCIGTHKTGYCNN $GECWUG %KVTKZ JCU WUGF VYQ FKHHGTGPV ENKGPV VGEJPQNQIKGU QPG C UVCPFCNQPGDCUGFENKGPV +%#CPFVJGQVJGTCUPCRKPEQORQPGPVQHC YGDDTQYUGTFKHHGTGPVHKNVGTGZEGRVKQPUOC[DGTGSWKTGF
Figure 5-4 - Filter Exception for Outbound Citrix ICA Client
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJGUVCPFCNQPG+%# ENKGPV VQ EQOOWPKECVG YKVJ CTGOQVG %KVTKZ 9KP(TCOG/GVC(TCOG JQUVQWVUKFGVJG$QTFGT/CPCIGTHKTGYCNN • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 102
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-5 - Filter Exception for Outbound Citrix Browser Client
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU VJG DTQYUGTDCUGF
CPF NCVGT XGTUKQPU QH VJG UVCPFCNQPG +%# ENKGPV VQ EQOOWPKECVG YKVJ C TGOQVG %KVTKZ 9KP(TCOG /GVC(TCOG JQUV QWVUKFG VJG $QTFGT/CPCIGTHKTGYCNN • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 103
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Client-to-Site VPN over NAT 6JGUG HKNVGT GZEGRVKQPU CTG PGGFGF VQ CNNQY C JQUV VQ OCMG CP QWVDQWPF0QXGNN$QTFGT/CPCIGT%NKGPVVQ5KVG820EQPPGEVKQPQXGT F[PCOKE0#6 0QVGOnly BorderManager version 3.6 (or later) can accept a VPN client connection when the client is behind a NAT router hop. This will not work for BorderManager 2.1, 3.0 or 3.5 Client-to-Site VPN, or BorderManager 3.6 if an earlier VPN client is installed on the remote PC.
6JG$QTFGT/CPCIGT820UGTXGTOWUVCNNQYKPDQWPF7&2RQTV VQ VJG RWDNKE +2 CFFTGUU YJKEJ VJG FGHCWNV HKNVGT GZEGRVKQPU CNNQY YKVJVJG&[PCOKE7&2GZEGRVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 104
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-6 - Filter Exception for Initial BorderManager Client-to-Site VPN Authentication over NAT
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJGKPKVKCN%NKGPVVQ 5KVG 820 EQPPGEVKQP VQ DG OCFG D[ CNNQYKPI VJG CWVJGPVKECVKQP KPHQTOCVKQPVQRCUUVJTQWIJ • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 105
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-7 - Filter Exception for Outbound BorderManager Client-Site VPN over NAT
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU VJG %NKGPVVQ5KVG 820FCVCVQDGRCUUGFVJTQWIJ0#6WUKPI7&2RQTV • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 106
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-8 - Filter Exception for BorderManager Client-to-Site VPN KeepAlive Packets over Dynamic NAT
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU HQT VJG 820 MGGR CNKXG RCEMGVU PGEGUUCT[ VQ OCKPVCKP C $QTFGT/CPCIGT %NKGPVVQ5KVG 820EQPPGEVKQPQPEGGUVCDNKUJGF • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 107
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
CLNTRUST 6JG %.064756 WVKNKV[ UWRRNKGF YKVJ $QTFGT/CPCIGT Z KU GZVTGOGN[ WUGHWN YJGP [QW JCXG GPCDNGF 2TQZ[ #WVJGPVKECVKQP 7PHQTVWPCVGN[ KV UQOGVKOGU VTKGU VQ EQOOWPKECVG YKVJ VJG $QTFGT/CPCIGT RWDNKE +2 CFFTGUU YJGTG KV KU VJGP DNQEMGF D[ VJG FGHCWNVHKNVGTU 6JGHQNNQYKPIHKNVGTGZEGRVKQPCNNQYKPI6%2RQTVVQVJGRWDNKE+2 CFFTGUUUGGOUVQCNNQY%.064756VQYQTMOQTGTGNKCDN[
Figure 5-9 - Filter Exception for Internal CLNTRUST Traffic to Public IP Address
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QHVGP HKZGU TCPFQO RTQDNGOUYKVJ%.064756PQVYQTMKPI • • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF &GUVKPCVKQP+2#FFTGUU[QWT$QTFGT/CPCIGTUGTXGTRWDNKE +2#FFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 108
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
6JKURTQDNGOOC[DGRTGXGPVGFKPVJGHKTUVRNCEGD[FQKPIQPGQHVJG HQNNQYKPI +P /QPKVQT 5GTXGT 2CTCOGVGTU 0%2 RWV VJG $QTFGT/CPCIGT RTKXCVG +2 CFFTGUU GU KP VJG 0%2 +PENWFG+2#FFTGUUHKGNF6JG0%2RCTCOGVGTUOC[PQV DGRTGUGPVWPVKN[QWCRRN[VJGNCVGUV0GV9CTGRCVEJ +P 5;5'6%>6%2+2%() VJG HKTUV 6%2+2 DKPFKPI UJQWNFCNYC[UDGVJGRTKXCVG+2CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 109
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
DNS from Internal PC’s to an ISP’s DNS Servers ;QW ECP CNUQ WUG VJG &05 RTQZ[ KP $QTFGT/CPCIGT Z DWV KH [QW UKORN[ YCPV VQ RCUU &05 RQTV TGSWGUVU QWV VJTQWIJ VJG $QTFGT/CPCIGTUGTXGTUUQVJCVKPVGTPCNJQUVUECPCEEGUUGZVGTPCN&05 UGTXGTUJGTGKUJQYVQFQKVYKVJCUVCVGHWNHKNVGTGZEGRVKQP +FQPQV TGEQOOGPF WUKPIVJG &05 2TQZ[ KH [QW CNUQ JCXGCP KPVGTPCN &05 UGTXGT ;QWYCPVVQETGCVGCHKNVGTFGHKPKVKQPECNNGFPGYFPUWFRUVCPFVJGP RQUUKDN[CPQVJGTQPGECNNGFPGYFPUVERUV6JGHKTUVGZEGRVKQPYKNNDG VQ CNNQY &05 SWGTKGU QXGT 7&2 EQOOQPN[ WUGF CPF VJG UGEQPF YKNNDGVQCNNQY&05SWGTKGUQXGT6%2 PQVUQEQOOQPN[WUGF ;QW UJQWNF DG CYCTG VJCV &05 \QPG VTCPUHGTU CTG FQPG WUKPI 6%2 YJKNG OQUV&05NQQMWRSWGTKGUCTGFQPGWUKPI7&2
Figure 5-10- Filter Exception for Outbound DNS Queries over UDP with Source Ports Specified
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU V[RKECN QWVDQWPF &05NQQMWRSWGTKGUQXGT7&2 • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 110
Chapter 5 - Example Outbound Filter Exceptions
•
November 30, 2001
5VCVGHWNHKNVGTKPI'PCDNGF
Figure 5-11 - Filter Exception for Outbound DNS Queries over TCP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF &05 NQQMWR SWGTKGU QXGT 6%2 YJKEJ KU PQV IGPGTCNN[ FQPG &05 TGURQPUGUOC[DGTGSWKTGFVQWUG6%2KHVJGFCVCKPVJGTGURQPUGFQGU PQVHKVYKVJKPCUKPING7&2RCEMGV*QYGXGTCOQTGV[RKECNWUGQH &05QXGT6%2HQTNQQMWRSWGTKGUKUYKVJKP05.11-72VQQNU UWEJ CU%[DGTMKVYJKEJECPURGEKH[7&2QT6%2RTQVQEQNVQDGWUGF
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 111
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
FTP (62HKNVGTGZEGRVKQPUCTGCNUQCDKVVTKEM[+H[QWWUGCDTQYUGTVQIQ VQ CP (62 UGTXGT [QW OC[ CEVWCNN[ DG WUKPI VJG *662 RTQVQEQN VQ TGVTKGXG C HKNG CPF VJKU HKNVGT GZEGRVKQP KUPŏV TGSWKTGF 6JCV QEEWTU YJGP VJG (62 UGTXGT KU DGKPI RTQZKGF ;QW FGHKPKVGN[ YKNN PGGF CP (62HKNVGTGZEGRVKQPYJGPVT[KPIVQFQYPNQCF(62HKNGUWUKPICVTWG (62ENKGPV;QWCNUQPGGFVQDGCYCTGVJCVCP(62ENKGPV CPFUGTXGT OC[CNNQYQPN[#EVKXGQT2CUUKXG(62TGSWGUVU +P 2CUUKXG OQFG VJG (62 UGTXGT VGNNU VJG ENKGPV VQ KPKVKCVG VJG (62 TGSWGUV VQ VJG (62 UGTXGT CV C URGEKHKE JKIJ RQTV PWODGT +P #EVKXG OQFGVJGENKGPVUGNGEVUVJGJKIJRQTVPWODGTCPFVGNNUVJG(62UGTXGT VQTGURQPFQPVJCVRQTV $QTFGT/CPCIGTZEQPVCKPUCPWODGTQHCFFKVKQPCNHKNVGTKPIHGCVWTGU HQT (62 VJCV KU PQV CXCKNCDNG KP $QTFGT/CPCIGT 6JWU KV KU RQUUKDNGVJCV[QWYKNNDGCDNGVQCEEQORNKUJUQOG(62TGNCVGFVCUMU WUKPI $QTFGT/CPCIGT CPF NCVGT XGTUKQPU VJCV CTG UKORN[ PQV RQUUKDNGYKVJ$QTFGT/CPCIGT (62KVUGNHWUGUVYQYGNNMPQYPRQTVPWODGTU(62EQPVTQNKUFQPGQP RQTVVQGUVCDNKUJUGUUKQPUEJCPIGFKTGEVQTKGUGVE2QTVKUWUGF YJGP VTCPUHGTTKPI FCVC # UVCVGHWN GZEGRVKQP HQT DQVJ RQTVU YKNN DG TGSWKTGFVQOCMG(62HKNGVTCPUHGTUHWPEVKQPCN
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 112
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
# PWODGT QH FKHHGTGPV (62 HKNVGT GZEGRVKQPU OKIJV DG TGSWKTGF DWV WUKPIVJG0QXGNNUWRRNKGFHVRRQTVRCUXUVHKNVGTKUCIQQFQPGVQVT[
Figure 5-12 - Filter Exception for Outbound FTP
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGUJQWNFCNNQY(62ENKGPVUVQ GUVCDNKUJCP(62UGUUKQPYKVJCPGZVGTPCNJQUV • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU#NN &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF(QTRQTVCPFRCUXOQFGU
0QVGWhen using the ftp-port-pasv-st filter definition, port 20 traffic (used for FTP data transfers) is automatically allowed, and a separate filter exception for port 20 is not required. (A very smart filter exception, that ftp-port-pasv-st!)
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 113
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
GroupWise Remote Client 5JQWNF [QW PGGF VQ EQPPGEV VQ C )TQWR9KUG UGTXGT QP VJG +PVGTPGV [QW ECP UGV WR VJG HQNNQYKPI UVCVGHWN HKNVGT GZEGRVKQP +V KU OQTG NKMGN[VJCV[QWYKNNPGGFVQUGVWRKPDQWPFECRCDKNKV[HQT)TQWR9KUG TGOQVG CPF CP GZCORNG QH VJCV KU UJQYP KP VJG UGEVKQP QP KPDQWPF GZEGRVKQPUHQTUVCVKE0#6 6JGUVCPFCTF)TQWR9KUGENKGPVRQTVPWODGTKUVJQWIJCP[RQTV PWODGTEQWNFDGEQPHKIWTGFD[VJG)TQWR9KUGCFOKPKUVTCVQT
Figure 5-13 - Filter Exception for Outbound GroupWise Remote Client
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPVGTPCN JQUVU VQ CEEGUU C )TQWR9KUG QP VJG +PVGTPGV WUKPI VJG UVCPFCTF )TQWR9KUG RQTVPWODGT
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 114
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
ICQ Version 2000b +%3D CPF+CUUWOGNCVGTXGTUKQPUOKIJVFGHCWNVVQWUKPIVJG UCOG RQTV PWODGT CU #1. 6%2 FGUVKPCVKQP RQTV +H KP +%3 2TGHGTGPEGU 5GTXGT [QW UGG RQTV GPVGTGF HQT VJG UGTXGT NQIKPKESEQOWUGVJGHKNVGTGZEGRVKQPHQT#1.+PUVCPV/GUUGPIGT
Figure 5-14 - ICQ 2000b Settings for AOL Port Number
(KIWTG UJQYUUGVVKPIU HQT +%3 DUGV WRHQT VJG UCOG RQTV PWODGTCUHQT#1.+PUVCPV/GUUGPIGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 115
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-15 - Filter Exception for Outbound ICQ 2000b
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPCPKPVGTPCN+%3 DENKGPVEQPHKIWTGFHQTRQTVVQGUVCDNKUJCP+%3EQPPGEVKQP
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
+H [QW YCPV VQ $.1%- %JCV RTQITCOU NKMG VJKU TGHGT VQ VJG FKUEWUUKQPő$NQEMKPI%JCV2TQITCOUŒ2CIG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 116
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
IMAP +/#2 KU COCKN RTQVQEQN VJCV OKIJV DG WUGF KPUVGCF QH 212 6JKU HKNVGT GZEGRVKQP CNNQYU CP KPVGTPCN JQUV VQ EJGEM OCKN QP CP +PVGTPGV JQUVWUKPI+/#2RTQVQEQN
Figure 5-16 - Filter Exception for Outbound IMAP
6JKUHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUCPKPVGTPCNJQUVVQ EJGEMGOCKNQPCP+PVGTPGVJQUVWUKPI+/#2
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 117
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Microsoft MSN Messenger /KETQUQHV /50 /GUUGPIGT XGTUKQP VGUVGF HQT VJKU GZCORNGJCUCPQRVKQPVQYQTMVJTQWIJCP*6622TQZ[*QYGXGT GXGP YJGP VJG CRRNKECVKQP KU EQPHKIWTGF VQ WUG *662 2TQZ[ KV UVKNN CVVGORVGFVQOCMGCFKTGEVEQPPGEVKQPQP6%2FGUVKPCVKQPRQTV 1PN[CHVGTVKOKPIQWVQPRQTVFKF/50/GUUGPIGTVT[VQWUGVJG *6622TQZ[UGVVKPIU+H[QWYCPVVQUKORN[CNNQYVJKUCRRNKECVKQPVQ YQTM YKVJQWV WUKPI VJG *662 2TQZ[ [QW ECP WUG VJG HQNNQYKPI UVCVGHWNHKNVGTGZEGRVKQP
Figure 5-17 - Filter Exception for Outbound MSN Messenger
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN JQUV WUKPI/KETQUQHV/50/GUUGPIGTVQFKTGEVN[CEEGUU/50OGUUCIKPI UGTXKEGUYKVJQWVEQPHKIWTKPICRTQZ[
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 118
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Microsoft Windows Media Player /KETQUQHV 9KPFQYU /GFKC 2NC[GT ECP EQPPGEV VQ VJG +PVGTPGV VQ CEEGUUHKNGUKP//5HQTOCV/QUV+PVGTPGVEQPPGEVKQPUECPOCMGWUG QHVJG*6622TQZ[KHUGVKP/GFKC2NC[GTDWVVJG//5UVTGCOKPI HQTOCVUJQWNFDGEQPHKIWTGFVQWUG6%2FGUVKPCVKQPRQTV
Figure 5-18 - Windows Media Player MMS Protocol Settings
6JGUETGGPUJQVUJQYPKP(KIWTGUJQYU/GFKC2NC[GTEQPHKIWTGF PQVVQWUGCRTQZ[UGTXGTHQTVJG//52TQVQEQN
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 119
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-19 - Filter Exception for Outbound Windows Media Player MMS Protocol
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN JQUV WUKPI 9KPFQYU /GFKC 2NC[GT VQ CEEGUU //5 UVTGCOKPI UQWTEGU QP VJG+PVGTPGV
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 120
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
NNTP 5KPEGVJG$QTFGT/CPCIGTZ00622TQZ[UGTXKEGQPN[CNNQYU[QWVQ RTQZ[QPG0062UGTXGTHQTRQTVKVKUQHVGPOWEJGCUKGTVQLWUVUGV WRCUVCVGHWNHKNVGTGZEGRVKQPVQCNNQYCP[0062UGTXGTVQDGCEEGUUGF CETQUU$QTFGT/CPCIGTHTQOKPUKFGVJGPGVYQTM
Figure 5-20- Filter Exception for Outbound NNTP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPVGTPCN JQUVU VQ OCMG0062EQPPGEVKQPUVQC7UGPGVUGTXGTQPVJG+PVGTPGV
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 121
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
NTP/SNTP ;QW OC[ JCXG KPVGTPCN JQUVU VJCV YKUJ VQ WUG 062 0GVYQTM 6KOG 2TQVQEQNQT5062 5KORNG0GVYQTM6KOG2TQVQEQNVQUGVCENQEMVQ CP+PVGTPGVDCUGFVKOGTGHGTGPEGUGTXGT(QTGZCORNGC70+:JQUVQT 0GV9CTGUGTXGTOKIJVWUG5062#2%WUKPIVJG&6KOGRTQITCO CNUQYQWNFWUG5062+PVJGUGECUGUUGVWRCUVCVGHWNHKNVGTGZEGRVKQP VQCNNQYRQTVVJTQWIJ$QTFGT/CPCIGT +VKUCNUQGCU[VQUGVWRC )GPGTKE7&22TQZ[HQT0625062
Figure 5-21 - Filter Exception for Outbound NTP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU 0625062 XKC RTQVQEQN 7&2 0QVG VJCV 062 WUGU RQTV HQT DQVJ UQWTEG CPF FGUVKPCVKQPRQTVU
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG YKNN PQV YQTM KH $QTFGT/CPCIGTKUVJG062VKOGUGTXGT+HVJG$QTFGT/CPCIGTUGTXGT KU VJG VKOG UGTXGT KV YKNN VT[ VQ UGPF TGSWGUVU HTQO VJG RWDNKE +2 CFFTGUU;QWYQWNFPGGFVQEJCPIGVJGGZEGRVKQPCDQXGVQECNNQWVC Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 122
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
UQWTEGKPVGTHCEGQH2WDNKECPFCFFCUQWTEG+2CFFTGUUQH[QWTRWDNKE +2CFFTGUUVQOQFKH[VJGHKNVGTGZEGRVKQPHQTDGUVTGUWNVU 0QVGMore information on using NTP in your LAN can be found in the Novell AppNote "Using Network Time Protocol (NTP) with NetWare 5", July 1999
http://developer.novell.com/research/appnotes/1999/a9907.htm
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 123
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
pcANYWHERE 6JGRE#0;9*'4' XGTUKQPUCPFCVNGCUVRTQITCOWUGUQPG QH VYQ FKHHGTGPV 7&2 RQTVU VQNQECVGC RE#0;9*'4' JQUVVJGP C RCTVKEWNCT6%2RQTVVQGZEJCPIGFCVC6JTGGUVCVGHWNHKNVGTGZEGRVKQPU CTGPGGFGFVQCNNQYQWVDQWPFEQPPGEVKXKV[HQTRE#0;9*'4' •
7&2 FGUVKPCVKQP RQTV UQWTEG RQTVU KU WUGF VQ NQECVG CPQVJGT RE#0;9*'4' JQUV CPF OC[ DG VJG QPN[ RQTV WUGFVQNQECVGCPQNFGTXGTUKQPQHRE#0;9*'4'
•
7&2FGUVKPCVKQPRQTVUQWTEGRQTVUKUCNUQWUGF VQNQECVGCPQVJGTRE#0;9*'4'JQUV
•
6%2 FGUVKPCVKQP RQTV UQWTEG RQTVU KU WUGF VQ GZEJCPIGFCVCDGVYGGPRE#0;9*'4'JQUVUQPEGVJGVYQJQUVU JCXGNQECVGFGCEJQVJGTWUKPI7&2
Figure 5-22 - Filter Exception for Outbound pcANYWHERE Location Protocol (Old)
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU VJG QNF QDUQNGVG RE#0;9*'4'NQECVKQPRTQVQEQN • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 124
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-23 - Filter Exception for Outbound pcANYWHERE Location Protocol
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU VJG PGYGT RE#0;9*'4'NQECVKQPRTQVQEQN
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 125
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Figure 5-24 - Filter Exception for Outbound pcANYWHERE Data
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU RE#0;9*'4' FCVC EQPPGEVKQPU HTQO CP KPVGTPCN 2% VQ C RE#0;9*'4' JQUV QP VJG+PVGTPGV
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 126
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
PING (ICMP) +V KU QHVGP FGUKTCDNG VQ DG CDNG VQ 2+0) TGOQVG JQUVU VQ VGUV DCUKE EQPPGEVKXKV[ *QYGXGT VJG $QTFGT/CPCIGT FGHCWNV HKNVGTU YKNN DNQEM +%/2 RCEMGVU CPF 2+0) VGUVU YJKEJ TGN[ QP +%/2 YKNNHCKN 6JKU GZCORNGUJQYUJQYVQUGVWRCUVCVGHWNHKNVGTGZEGRVKQPVQCNNQY2+0) VGUVKPI QWVDQWPF YJKNG UVKNN TGUVTKEVKPI 2+0) RCEMGVU HTQO EQOKPI DCEMKP
CAUTION ICMP is much more than just PING, and it is important from a security standpoint not to just allow all ICMP to your network! The stateful filter exception shown is secure, but it will not allow your server to be pinged from the public side or allow you to ping from the server console itself.
Figure 5-25 - Filter Exception for Outbound ICMP (PING & TRACERT)
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYURTQVQEQN+%/2HTQO CP KPVGTPCN JQUV VQ CP[ +2 CFFTGUU +V YKNN PQV CNNQY VJG $QTFGT/CPCIGT UGTXGT KVUGNH VQ RKPI DGECWUG KV TGSWKTGU VJG +%/2 RCEMGVUVQEQOGCETQUUVJGRTKXCVGKPVGTHCEG • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN+%/2 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 127
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
POP3 +H[QWYCPVVQCNNQYCP[JQUVQP[QWTPGVYQTMVQUKORN[EJGEMVJGKT GOCKN CV CP +52ŏU 212 UGTXGT UGV WR VJG HQNNQYKPI UVCVGHWN HKNVGT GZEGRVKQPVQRCUU6%2RQTVVTCHHKEVJTQWIJ
Figure 5-26 - Filter Exception for Outbound POP3
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF 212 TGSWGUVU
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
6JGCNVGTPCVKXGVQVJKUGZEGRVKQPHQT$QTFGT/CPCIGTZKUVQWUGVJG /CKN2TQZ[
CAUTION The built-in filter exception for POP3-ST in BorderManager 3.5 is NOT stateful. Either create a new exception, called POP3a-ST or similar, or follow the instructions on page 228 to fix the definition.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 128
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
RDATE 0GV9CTG Z Z CPF Z UGTXGTU ECP WUG C HTGG RTQITCO HTQO http://www.murkworks.com/ECNNGF4'0./VQUGVVJGKTENQEMU VQCVKOGUGTXGTQPVJG+PVGTPGV4'WUGURQTVUQ[QWOKIJV YCPVVQUGVWRCUVCVGHWNHKNVGTGZEGRVKQPVQCNNQY7&2RQTVVJTQWIJ $QTFGT/CPCIGT +V KU CNUQ GCU[ VQ UGV WR C )GPGTKE 7&2 RTQZ[ HQT 4'
Figure 5-27 - Filter Exception for Outbound RDATE Time Protocol
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUQWVDQWPF4' TGSWGUVUXKCRTQVQEQN7&2HTQOCPKPVGTPCNJQUV
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
+HVJG$QTFGT/CPCIGTUGTXGTKVUGNHKUTWPPKPI4'[QWYKNNPGGF VQ EJCPIG VJG UQWTEG KPVGTHCEG VQ 2WDNKE CPF OCMG VJG UQWTEG +2 CFFTGUUGSWCNVQ[QWTRWDNKE+2CFFTGUU 5JQWNF[QWYKUJVQWUG4'QP[QWTVKOGTGHGTGPEGUGTXGT[QW ECP WUG VJGUG UGVVKPIU DWV TGCF VJG 4' FQEWOGPVCVKQP UQ VJCV [QWVJQTQWIJN[WPFGTUVCPFVJGTCOKHKECVKQPUQHVJG/QRVKQP Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 129
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
6JG+2CFFTGUUUJQYPKPVJGGZCORNGDGNQYDGNQPIUVQCVKOGUGTXGT KP$QWNFGT%QNQTCFQ;QWOC[HKPFCNKUVQH062VKOGUGTXGTUQPVJG +PVGTPGVCPFUQOGQHVJQUGOC[UWRRQTV4'WUKPIGKVJGT7&2QT 6%2RTQVQEQN .1#&4'782/ • • • • •
77&2 8#NNQYWRVQUGEQPFFTKHV 2%JGEMVKOGGXGT[OKPWVGU / NCTIG PWODGT 0WODGT QH UGEQPFU VKOG ECP DG QHH CPF4'YKNNEJCPIGKV +2 #FFTGUU QH C VKOG UGTXGT CV VJG 75 0CVKQPCN+PUVKVWVGQH5VCPFCTFU 0+56
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 130
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
RealAudio (RealPlayer G2) 4GCN#WFKQUVTGCOUOC[EQOGKPVYQHQTOCVUŌ20# 4GCN#WFKQCPF 46524GCN2NC[GTUJQWNFJCXGVYQFKHHGTGPVQRVKQPUVQRTQZ[GCEJQH VJGUG RTQVQEQNU #P GZEGRVKQP VQ CNNQY QWVDQWPF 4652 RTQZ[ KU UJQYP KP VJKU DQQM QP RCIG #P GZEGRVKQP VQ CNNQY QWVDQWPF 20#4GCN#WFKQVTCHHKEKUUJQYPJGTG +P $QTFGT/CPCIGT Z KV KU RQUUKDNG VQ WUG VJG DWKNV KP 4GCN#WFKQ 2TQZ[ D[ EQPHKIWTKPI VJG 4GCN2NC[GT UGVVKPIU RTQRGTN[ DWV KH [QW PGGF VQ CNNQY 4GCN2NC[GT ) VTCHHKE WUKPI QPN[ RCEMGV HKNVGT GZEGRVKQPU[QWECPIGVKVYQTMKPIKPD[QRGPKPIWR6%2RQTVKP DQVJFKTGEVKQPU+H[QWJCXG$QTFGT/CPCIGTZWUGCUVCVGHWNHKNVGTVQ CNNQY6%2RQTVQWVDQWPF+H[QWJCXG$QTFGT/CPCIGT[QW PGGF VQ EQPHKIWTG VYQ GZEGRVKQPU VQ CNNQY 6%2 RQTV KPDQWPF CPFQWVDQWPF
Figure 5-28 - RealPlayer G2 Settings to Bypass PNA & RTSP Proxy
&Q PQV EQPHKIWTG 4GCN2NC[GT VQ WUG C 20# 2TQZ[ KH [QW YKUJ VQ D[RCUUVJG$QTFGT/CPCIGTZ4GCN#WFKQRTQZ[ 4GCN2NC[GT)HKTUVWUGU*662VQNQECVGC4GCN#WFKQUKVG;QWOWUV VJGTGHQTG JCXG DQVJ &05 CPF *662 CNNQYGF KP UQOG OCPPGT HQT Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 131
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
4GCN2NC[GT)VQEQPPGEVVQCUKVG1PEGVJGUKVGJCUDGGPHQWPF6%2 RQTV ECTTKGU VJG FCVC +P VJG GZCORNG UJQYP 4GCN2NC[GT ) KU EQPHKIWTGF VQ WUG VJG UCOG RTQZ[ UGVVKPIU CU VJG FGHCWNV DTQYUGT
YJKEJOGCPU+PVGTPGV'ZRNQTGTYJKEJUJQWNFDGRQTVCPFVJG $QTFGT/CPCIGTRTKXCVG+2CFFTGUU $QTFGT/CPCIGTKPVJKUECUGYCU UGV WR YKVJ *662 2TQZ[ GPCDNGF &05 KP VJKU ECUG YCU CNTGCF[ CNNQYGFD[CUVCVGHWNHKNVGTGZEGRVKQP 6JKUHKNVGTGZEGRVKQPYCUVGUVGFWUKPI4GCN2NC[GTXGTUKQP) #V VJG YQTMUVCVKQP HKTUV EQPHKIWTG 4GCN2NC[GT ) WPFGT 1RVKQPU 2TGHGTGPEGU 2TQZ[ VQ WUG [QWT +PVGTPGV 'ZRNQTGT DTQYUGTŏU RTQZ[ UGVVKPIUQTOCPWCNN[EQPHKIWTGVJG$QTFGT/CPCIGTRTKXCVG+2CFFTGUU CPF RTQZ[ RQTV PWODGT KP WUG KH CP[ +H [QW CTG PQV WUKPI VJG $QTFGT/CPCIGT *662 RTQZ[ [QW OWUV JCXG HKNVGT GZEGRVKQPU CNNQYKPI*662RQTVVJTQWIJQT4GCN2NC[GT)YKNNPQVYQTM
Figure 5-29 - Filter Exception for Outbound RealAudio (PNA)
6JG UVCVGHWN HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPVGTPCN JQUVU PQV EQPHKIWTGF HQT C 4GCN#WFKQ RTQZ[ VQ CEEGUU 4GCN#WFKQ
20#UQWTEGU • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 132
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
RTSP (Real Time Streaming Protocol) 6JKUGZEGRVKQPKUWUGHWNKH[QWJCXGRTQDNGOUYKVJVJG46522TQZ[KP $QTFGT/CPCIGT QT QT CTG WUKPI $QTFGT/CPCIGT YJKEJ FQGUPŏVJCXGCP46522TQZ[
Figure 5-30 - Filter Exception for Outbound RTSP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG UJQWNF DG WUGF YJGP 4GCN2NC[GTKUPQVEQPHKIWTGFVQWUGCP46522TQZ[ • • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
0QVGA number of versions of PROXY.NLM in BorderManager 3.5 and 3.6 have had problems with RTSP Proxy. The problems should be solved using PROXY.NLM version 022 or later.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 133
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
SMTP 5KPEG VJG $QTFGT/CPCIGT CPF OCKN RTQZ[ JCU JCF C JKUVQT[QHXCTKQWURTQDNGOUCPFNKOKVCVKQPUKVECPDGWUGHWNVQUGVWR CP 5/62 HKNVGT GZEGRVKQP 6JG GZEGRVKQP UJQYP YKNN UKORN[ CNNQY QWVDQWPF 5/62 UQ VJCV CP[ JQUV ECP UGPF OCKN VQ CP +52ŏU OCKN UGTXGT D[ CNNQYKPI RQTV VTCHHKE 0QVG VJCV OCP[ +52ŏU OC[ PQV CNNQY5/62TGNC[KPIQHHVJGKTOCKNUGTXGTUWPNGUUVJG5/62UQWTEG CFFTGUUQTKIKPCVGUYKVJKPVJG+52ŏUPGVYQTM
Figure 5-31 - Filter Exception for Outbound SMTP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPVGTPCN JQUVU VQ UGPFGOCKNVQCP[GZVGTPCN5/62JQUVVJCVYKNNCEEGRVKVHTQO[QWT+2 CFFTGUU 5RCO TGNC[ EQPVTQNU IGPGTCNN[ CRRNKGF WUWCNN[ OGCPU VJCV [QWECPUGPF5/62QPN[VQCP5/62UGTXGTCV[QWT+52
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 134
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
SSL (HTTPS) 'XGP VJQWIJ [QW OC[ DG WUKPI VJG *662 RTQZ[ VQ CNNQY QWVDQWPF YGD DTQYUKPI [QW OC[ YKUJ VQ CNNQY 55. VTCHHKE VQ D[RCUU VJG *662RTQZ[+HUQ[QWOKIJVCNUQYCPVVQUGVWRCUVCVGHWNHKNVGTVQ CNNQYRQTVQWVVJTQWIJVJG$QTFGT/CPCIGTUGTXGT
Figure 5-32 - Filter Exception for Outbound SSL / HTTPS
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPVGTPCN JQUVU VQ OCMG*662555.EQPPGEVKQPU
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 135
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
TELNET 6JKU GZCORNG YKNN CNNQY CP[ WUGT KP [QWT .#0 VQ GUVCDNKUJ C 6'.0'6UGUUKQPVQCPGZVGTPCNJQUV
Figure 5-33 - Filter Exception for Outbound TELNET
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPVGTPCN JQUVU VQ OCMGQWVDQWPF6'.0'6EQPPGEVKQPUQPVJGUVCPFCTF6'.0'6RQTV PWODGT
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
0QVGThis filter exception is not strictly necessary for BorderManager 3.5 or 3.6, which provides a Transparent TELNET proxy, but the Transparent Telnet proxy there has had some history of causing problems with the server, such as ABENDS.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 136
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
Terminal Server +PECUG[QWPGGFVQCEEGUUC/KETQUQHV6GTOKPCN5GTXGTQWVUKFG[QWT PGVYQTMWUGVJGHQNNQYKPIHKNVGTGZEGRVKQP5JQWNF[QWPGGFVQOCMG CPKPVGTPCN6GTOKPCN5GTXGTCXCKNCDNGVQVJG+PVGTPGVXKC5VCVKE0#6 UGGVJGGZCORNGNCVGTKPVJKUDQQMQPRCIG
Figure 5-34 - Filter Exception for Outbound Microsoft Terminal Server
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUCPKPVGTPCNJQUVVQ CEEGUUC/KETQUQHV6GTOKPCN5GTXGTQPVJG+PVGTPGV
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 137
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
VNC Viewer 80% KU C HTGGQRGPUQWTEG TGOQVG EQPVTQN RTQITCO VJCV ECP TWP QP 9KPFQYU ;QW ECP WUG KV CU CP CNVGTPCVKXG VQ C RTQITCO NKMG RE#0;9*'4' VJQWIJ KV FQGU PQV JCXG VJG HGCVWTGU QT URGGF QH RE#0;9*'4'5GGVJGHQNNQYKPI74.VQFQYPNQCF80% http://www.uk.research.att.com/vnc/download.html 80%CNNQYUOWNVKRNGUGUUKQPUVQDGTWPCVVJGUCOGVKOGWRVQCV VJG VKOG QH VJKU YTKVKPI 'CEJ UGUUKQP TGSWKTGU C FKHHGTGPV RQTV PWODGTUVCTVKPICVCPFIQKPIWRVQ6JGGZCORNGUJQYP QRGPU VJG GPVKTG TCPIG HQT VJG OCZKOWO PWODGT QH UKOWNVCPGQWU UGUUKQPU #PGZCORNGHQTKPDQWPFWUCIGVJTQWIJUVCVKE0#6KUUJQYPNCVGT
Figure 5-35 - Filter Exception for Outbound VNC Viewer for 10 Console Sessions
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUCPKPVGTPCNJQUVVQ WUGVJG80%8KGYGTRTQITCOVQCEEGUUC80%UGTXGTQPVJG+PVGTPGV
• • • • • •
5QWTEGKPVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 138
Chapter 5 - Example Outbound Filter Exceptions
November 30, 2001
VNC Browser Interface 80%ECPCNUQDGCEEGUUGFXKCCDTQYUGTQPRQTVUVJTQWIJ 5KOKNCT VQ VJG 80% 8KGYGT WR VQ UGUUKQPU ECP DG QRGPGF YKVJ UGUUKQPWUKPIRQTVUGUUKQPWUKPIGVE +P CFFKVKQP VQ VJG RQTVU UJQYP KP VJKU GZCORNG 6%2 FGUVKPCVKQP RQTVUOWUVCNUQDGQRGPGFCUKPVJGRTGXKQWUGZCORNGHQT 80%8KGYGTCPF6%2FGUVKPCVKQPRQTV *662YKNNDGWUGF+H VJG DTQYUGT KU WUKPI *662 2TQZ[ [QW FQ PQV PGGF VQ QRGP 6%2 FGUVKPCVKQPRQTVVJTQWIJ$QTFGT/CPCIGT
Figure 5-36 - Filter Exception for Outbound VNC through a Web Browser for 10 Console Sessions
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUCPKPVGTPCNJQUVVQ WUGCYGDDTQYUGTVQEQPPGEVVQC80%JQUVQPVJG+PVGTPGVCUNQPI CUVJGDTQYUGTKUCNUQCDNGVQOCMGCP*662EQPPGEVKQPVQVJGJQUV CPFCUNQPICUVJG80%8KGYGTRQTVUCTGQRGPGF • &GUVKPCVKQP+PVGTHCEG2WDNKE • 2TQVQEQN6%2 • 5QWTEGRQTVU • &GUVKPCVKQPRQTVU • 5VCVGHWNHKNVGTKPI'PCDNGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 139
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Chapter 6 - Example Inbound Filter Exceptions 6JKU EJCRVGT FGUETKDGU EGTVCKP HKNVGT GZEGRVKQPU FGUKIPGF VQ CNNQY VTCHHKE VQ UGTXKEGU NKUVGPKPI QP VJG $QTFGT/CPCIGT UGTXGT RWDNKE KPVGTHCEG KPENWFKPI 4GXGTUG *662 4GXGTUG (62 CPF )GPGTKE 2TQZKGU CU YGNN CU UGTXKEGU NKMG &*%2 VJCV OC[ DG TWPPKPI QP VJG UGTXGT 6JGHQNNQYKPIEJCRVGTEQXGTUKPDQWPFGZEGRVKQPUHQT5VCVKE0#6 6JG OCKP FKHHGTGPEG DGVYGGP HKNVGT GZEGRVKQPU KP VJKU EJCRVGT CPF HKNVGTGZEGRVKQPUHQTUVCVKE0#6KUVJCVVJGUQWTEGCPFFGUVKPCVKQP+2 CFFTGUUGUHQT5VCVKE0#6ECNNQWVKPVGTPCN+2CFFTGUUGUPQVCFFTGUUGU DQWPFQPVJG$QTFGT/CPCIGTUGTXGTKVUGNH
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 140
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
DHCP to a PC on the Public Subnet +VECPDGWUGHWNVQUGVWRHKNVGTGZEGRVKQPUVQCNNQY&*%2ENKGPVUVQ TGEGKXG CFFTGUUGU QP VJG RWDNKE PGVYQTM 9J[! + HKPF KV WUGHWN VQ EQPHKIWTGCUKPING&*%2CFFTGUUVQDGFGNKXGTGFUQVJCV+ECPGCUKN[ OQXGCNCRVQR2%HTQOVJGRTKXCVGUKFGVQVJGRWDNKEUKFGHQTVGUVKPI 6JKU KU OWEJ SWKEMGT VJCP OCPWCNN[ TGUGVVKPI VJG +2 CFFTGUU #NN + JCXGVQFQKUTGNGCUGVJGQNFCFFTGUURNWIVJGNCRVQRKPVQCJWDQPVJG RWDNKE UKFG QH VJG $QTFGT/CPCIGT UGTXGT CPF TGPGY VJG CFFTGUU + IGVCPGY+2CFFTGUUTWPO[VGUVU YJKEJOKIJVDGEJGEMKPITGXGTUG RTQZ[QTUVCVKE0#6CEEGUUVJTQWIJPGYHKNVGTGZEGRVKQPU 6JTGGGZEGRVKQPUCTGTGSWKTGFŌQPGHQT$1162% $QQV2%NKGPVCPF VYQHQT$11625 $QQV25GTXGT
Figure 6-1 - Filter Exception for Initial DHCP Client Request to Broadcast Address on Public Interface
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJG&*%2TGSWGUVUKP VQVJG$QTFGT/CPCIGTUGTXGTQPVJGRWDNKEKPVGTHCEG • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVUCNN &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU/WNVKECUV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 141
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Figure 6-2 - Filter Exception for DHCP Client Responses from Public IP Address
6JG HKNVGT GZEGRVKQP UJQYP KP(KIWTG CNNQYU VJG$QTFGT/CPCIGT UGTXGTVQTGURQPFVQ&*%2TGSWGUVU • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVU#NN &GUVKPCVKQPRQTV 5QWTEG+2#FFTGUU[QWTRWDNKE+2CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 142
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Figure 6-3 - Filter Exception for Inbound DHCP Renewal Requests
6JG VJKTF HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU $11625 TGSWGUVUVQVJGRWDNKE+2CFFTGUUQHVJG$QTFGT/CPCIGTUGTXGT6JKU GZEGRVKQPKUPGEGUUCT[KH[QWYKUJVQCNNQY&*%2TGPGYCNTGSWGUVU HTQOVJGENKGPV • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVUCNN &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 143
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
DHCP to the BorderManager Server 6JKU GZCORNG KU HQT C $QTFGT/CPCIGT UGTXGT TGEGKXKPI KVU RWDNKE +2 CFFTGUU HTQO C &*%2 UGTXGT HQT C ECDNG OQFGO EQPPGEVKQP RTKOCTKN[ 6JG KPKVKCN TGSWGUV HQT C &*%2 CFFTGUU KU OCFG WUKPI C 7&2 DTQCFECUVCPFVJGTGRN[YKNNCNUQWUGCDTQCFECUVCFFTGUUUKPEGVJGTG KUPQKPKVKCN+2CFFTGUU1PEGC&*%2NGCUGJCUDGGPQDVCKPGFVJGTG YKNN DG RGTKQFKE NGCUG TGPGYCNU WUKPI 7&2 WPKECUV CFFTGUUKPI $GECWUGQHVJGTGSWKTGOGPVHQTWUKPIDTQCFECUVUVJGHKNVGTGZEGRVKQPU TGSWKTGF ECPPQV NKOKV &*%2 VTCHHKE VQ C URGEKHKE +2 CFFTGUU +P HCEV DGECWUGQHVJGPCVWTGQH&*%2VJGHKNVGTGZEGRVKQPUUJQYPJGTGYKNN CNNQY KPDQWPF &*%2 TGSWGUVU VQ VJG RWDNKE KPVGTHCEG CU YGNN CU QWVDQWPF&*%2TGSWGUVUHTQOVJGRWDNKEKPVGTHCEG$GXGT[ECTGHWN YKVJ VJG GZEGRVKQPU KH [QW CTG TWPPKPI &*%2 UGTXKEGU QP VJG $QTFGT/CPCIGTUGTXGTKVUGNHUQVJCV[QWFQPQVIKXGQWV+2CFFTGUUGU VQ QVJGT JQUVU QP VJG NQECN ECDNG OQFGO UGIOGPV +V KU CFXKUCDNG 016VQTWP&*%25484QPC$QTFGT/CPCIGTUGTXGTEQPPGEVGFVQC ECDNGOQFGO &*%2 TGSWGUVU CTG UGPV QWV WUKPI $11625 7&2 FGUVKPCVKQP RQTV CPFTGEGKXGF D[C&*%2ENKGPVWUKPI$1162%6JGTGHQTGVJG QWVIQKPIVTCHHKEOWUVKPENWFGCPGZEGRVKQPVQCNNQY$11625KH[QW CTG PQV WUKPI VJG FGHCWNV HKNVGT GZEGRVKQPU 6JG FGHCWNV HKNVGT GZEGRVKQPU HQT $QTFGT/CPCIGT CNNQY #.. QWVDQWPF +2 +PDQWPF TGRNKGUUJQWNFDGNKOKVGFVQDTQCFECUVCPFWPKECUV$1162%RCEMGVU YJKEJ WUG 7&2 FGUVKPCVKQP RQTV 6JKU KU FKHHGTGPV HTQO VJG RTGXKQWUGZCORNGYJGTGKPDQWPF$11625OWUVDGCNNQYGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 144
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Figure 6-4 - Filter Exception for Public Interface to get DHCP Address
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CDQXG UJQYU $1162% CNNQYGF QP VJG RWDNKE KPVGTHCEG 6JKU HKNVGT GZEGRVKQP CNNQYU VJG UGTXGT VQ UGPF CPF TGEGKXGF DTQCFECUV &*%2 CFFTGUU TGSWGUVU CPF UGPFCPFTGEGKXG&*%2NGCUGTGPGYCNU • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTVUCNN &GUVKPCVKQPRQTV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 145
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Portal Web Manager on Generic TCP Proxy (on Secondary IP Address) 2QTVCN 9GD /CPCIGT KU XGT[ PKEG WVKNKV[ KPENWFGF YKVJ 0GV9CTG UGTXGTUVJCVCNNQYUCITGCVFGCNQHOCPCIGOGPVCPFVTQWDNGUJQQVKPIVQ DGFQPGVJTQWIJCYGDKPVGTHCEG$GECWUGQHVJGYC[KVYQTMUYJGPC WUGT NQIU KP EJCPIKPI HTQO QPG RQTV VQ CPQVJGT CPF OCMKPI C PGY EQPPGEVKQPKVFQGUPŏVYQTMXKCUVCVKE0#6+VYKNNYQTMHKPGVJTQWIJ C IGPGTKE 6%2 RTQZ[ EQPHKIWTGF HQT RQTV CPF RQTV VJG FGHCWNVRQTVUYJKEJECPDGEJCPIGF 6JKU GZCORNG CNNQYU VJG KPDQWPF VTCHHKE HQT DQVJ UVCPFCTF 2QTVCN RQTVU+VKURQUUKDNGVJCV[QWEQWNFEQPHKIWTGUGXGTCNFKHHGTGPVIGPGTKE 6%2RTQZKGUHQTFKHHGTGPVKPVGTPCN2QTVCNUGTXGTUQPCUKPINGRWDNKE+2 CFFTGUU CU NQPI CU GCEJ 2QTVCN JCU DGGP EQPHKIWTGF VQ NKUVGP QP FKHHGTGPV RQTV PWODGTU &KHHGTGPV RQTV PWODGTU YQWNF QH EQWTUG TGSWKTGCPQVJGTUGVQHEWUVQOHKNVGTGZEGRVKQPU
Figure 6-5 - Filter Exception for Inbound Portal Web Manager to Generic TCP Proxy on Secondary IP Address
6JGHKNVGTGZEGRVKQPUJQYKP(KIWTGCNNQYUCYGDDTQYUGTQPVJG +PVGTPGV VQ UGPF KPDQWPF VTCHHKE VQ CEEGUU 0QXGNNŏU 2QTVCN 9GD /CPCIGTXKCC)GPGTKE6%22TQZ[NKUVKPIQPVJGURGEKHKGFRWDNKE+2 CFFTGUU • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 146
Chapter 6 - Example Inbound Filter Exceptions
• • • •
November 30, 2001
2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU &GUVKPCVKQP +2 #FFTGUU [QWT IGPGTKE 6%2 RTQZ[ RWDNKE +2 CFFTGUU
6JGHQNNQYKPIGZEGRVKQPCNNQYUVJGQWVDQWPFTGVWTPVTCHHKEHTQOVJG )GPGTKE6%22TQZ[HQT2QTVCN9GD/CPCIGTVTCHHKE
Figure 6-6 - Filter Exception for Portal Responses from Generic TCP Proxy on Secondary Public IP Address
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUC)GPGTKE6%22TQZ[ QP+2CFFTGUUVQTGURQPFVQKPDQWPFTGSWGUVU • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPIGPCDNGF 5QWTEG +2 #FFTGUU [QWT IGPGTKE 6%2 RTQZ[ RWDNKE +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 147
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Reverse HTTP Proxy (on Secondary IP Address) 4GXGTUGRTQZ[CEEGNGTCVKQPQHCPKPVGTPCNYGDUGTXGTVQVJGQWVUKFGKU IGPGTCNN[ RTGHGTTGF 'ZCORNGU HQT CEEGUUKPI YGD UGTXGTU VJTQWIJ 5VCVKE 0#6 CTG UJQYP KP VJG PGZV EJCRVGT 6JG FGHCWNV HKNVGT GZEGRVKQPUCNNQY*662CPF55.VQVJGOCKPRWDNKE+2CFFTGUUQHVJG UGTXGT HQT TGXGTUG *662 2TQZ[ *QYGXGT TGXGTUG RTQZ[ KU QHVGP FQPG WUKPI C UGEQPFCT[ +2 CFFTGUU CPF VJG $QTFGT/CPCIGT FGHCWNV HKNVGTU YKNN DNQEM PQV QPN[ VJG TGSWGUVU VQ VJG UGEQPFCT[ +2 CFFTGUU DWVCNUQVJGTGURQPUGUHTQOVJGUGEQPFCT[+2CFFTGUU HTQOVJG2TQZ[ UGTXGT6JGTGHQTGUGVWRVJGHQNNQYKPIVYQHKNVGTGZEGRVKQPUVQCNNQY *662VTCHHKEVQCPFHTQOVJG4GXGTUG2TQZ[
Figure 6-7 - Filter Exception for HTTP to Reverse HTTP Proxy on Secondary Public IP Address
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG YKNN CNNQY KPDQWPF *662 TGSWGUVUVQCTGXGTUGRTQZ[QPVJGURGEKHKGFFGUVKPCVKQP+2CFFTGUU • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU[QWTTGXGTUG*662RTQZ[RWDNKE+2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 148
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Figure 6-8 - Filter Exception for Reverse HTTP Proxy Responses from Reverse HTTP Proxy on Secondary Public IP Address
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU VJG TGXGTUG *662 RTQZ[VQTGURQPFVQKPDQWPFTGSWGUVU • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPIGPCDNGF 5QWTEG +2 #FFTGUU [QWT TGXGTUG *662 RTQZ[ RWDNKE +2 CFFTGUU
6JKU GZEGRVKQP UJQYP KP (KIWTG DGCTU UQOG GZRNCPCVKQP 9J[ YCUVJGUQWTEGRQTVNGHVCV#P[!9J[YCUVJGFGHCWNV&[PCOKE6%2 FGHKPKVKQPPQVWUGFYKVJVJGUQWTEG+2CFFTGUUECNNGFQWV!9J[KUVJG #%-DKVUGV! (KTUVKHVJGYGDUGTXGTKUEQPHKIWTGFUWEJVJCV10.;UVCPFCTF*662 RQTVKUWUGFCEWUVQOFGHKPKVKQP*6624GURQPUGEQWNFDGETGCVGF CU CDQXG GZEGRV URGEKH[KPI C UQWTEG RQTV *QYGXGT UQOG YGD UGTXGTUJCXGEQPVGPVVJCVTGSWKTG*662555. RQTVVQNQIKPQT TGEGKXG C EGTVKHKECVG CPF GPET[RV FCVC 1VJGT EQPVGPV OKIJV TGFKTGEV VJGDTQYUGTVQPQPUVCPFCTF*662RQTVU RQTVUQVJGTQT6JG GZEGRVKQP UJQYP UJQWNF CNNQY VJG YGD UGTXGT VQ EQOOWPKECVG KP VJQUG UKVWCVKQPU YJKNG UVKNN FKUCNNQYKPI KPDQWPF EQPPGEVKQPU VQ DG OCFGQPVJGJKIJRQTVU DGECWUGVJG#%-DKVKUUGV6JGTGSWKTGOGPV Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 149
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
VJCVVJG#%-DKVDGUGVGPUWTGUVJCVVJGJKIJRQTVUCTGQPN[WUGFYJGP VJGYGDUGTXGTKPKVKCVGUVJG6%2EQPPGEVKQP
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 150
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
SSL to Reverse HTTP Proxy (on Secondary IP Address) +H [QWT KPVGTPCN YGD UGTXGT DGKPI TGXGTUG CEEGNGTCVGF TGSWKTGU 55.
*6625 [QW CNUQ PGGF VQ CNNQY 55. RQTV VTCHHKE VQ VJG UGEQPFCT[+2CFFTGUUQHVJGTGXGTUGRTQZ[ 6JKU HKNVGT GZEGRVKQP CNUQ CNNQYU 55. 2TQZ[ #WVJGPVKECVKQP VQ C TGXGTUGRTQZ[UJQWNFVJCVQRVKQPDGGPCDNGF
Figure 6-9 - Filter Exception for Inbound HTTPS/SSL to Reverse HTTP Proxy on Secondary Public IP Address
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYU55. *6625VQVJG TGXGTUG RTQZ[ D[ CNNQYKPI RTQVQEQN 6%2 CP[ UQWTEG RQTV CPF C FGUVKPCVKQP RQTV GSWCN VQ VQ C FGUVKPCVKQP +2 CFFTGUU UGV VQ VJG UGEQPFCT[ +2 CFFTGUU EQPHKIWTGF HQT TGXGTUG RTQZ[ CEEGNGTCVKQP # EWUVQOGZEGRVKQPJCUDGGPFGHKPGFVJCVURGEKHKGUVJGUQWTEGRQTVUHQT KORTQXGFUGEWTKV[ • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU[QWTTGXGTUG*662RTQZ[RWDNKE+2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 151
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
Figure 6-10 - Filter Exception for Outbound HTTPS / SSL Responses from Reverse HTTP Proxy on Secondary Public IP Address
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUQWVDQWPF*6625 55. TGURQPUGU HTQO C TGXGTUG *662 RTQZ[ QP VJG URGEKHKGF UQWTEG RWDNKE+2CFFTGUU • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPIGPCDNGF 5QWTEG +2 #FFTGUU [QWT TGXGTUG *662 RTQZ[ RWDNKE +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 152
Chapter 6 - Example Inbound Filter Exceptions
November 30, 2001
RCONJ on Generic Proxy (on Secondary IP Address) 6JGRQKPVQHVJKUGZCORNGKUVQCNNQYKPDQWPF4%10, ,CXC4GOQVG %QPUQNG VTCHHKE VQ CP KPVGTPCN 0GV9CTG UGTXGT WUKPI )GPGTKE 6%2 2TQZ[ 6JGFGHCWNV6%2FGUVKPCVKQPRQTVQH4%10,KUYJKEJKUECNNGF QWVKPVJGEQOOCPFNKPGYJGPNQCFKPI4%10#) 0QVGIf ZENWorks for Servers has been installed, you might see that RCONJ can be launched in secure mode, using the LOAD RCONAGP ENCRYPT command, which uses port 2037 by default.
Figure 6-11 - Filter Exception for Inbound RCONJ to Generic TCP Proxy on Secondary Public IP Address
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPDQWPF 4%10, VTCHHKE VQ C IGPGTKE RTQZ[ UGV WR HQT 4%10#) UVCPFCTF RQTV PWODGTUQPVJGURGEKHKGFFGUVKPCVKQP+2CFFTGUU • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 153
Chapter 6 - Example Inbound Filter Exceptions
•
November 30, 2001
&GUVKPCVKQP+2#FFTGUU[QWTTGXGTUG*662RTQZ[RWDNKE+2 CFFTGUU
6JGHQNNQYKPIGZEGRVKQPCNNQYUVJGQWVDQWPF4%10,TGVWTPVTCHHKE
Figure 6-12 - Filter Exception for Outbound Responses from RCONJ on Generic TCP Proxy
6JGHKNVGTGZEGRVKQPUJQYKP(KIWTGCNNQYUC)GPGTKE6%22TQZ[ HQT4%10#)QPVJGURGEKHKGFUQWTEGRWDNKE+2CFFTGUUVQTGURQPF VQKPDQWPF4%10,TGSWGUVU 0QVGVJCVVJG#%-DKVJCUDGGPUGV • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTV #%-$KV(KNVGTKPIGPCDNGF 5QWTEG +2 #FFTGUU [QWT )GPGTKE 6%2 RTQZ[ RWDNKE +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 154
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT 5VCVKE 0#6 KU CNYC[U FQPG WUKPI UGEQPFCT[ +2 CFFTGUUGU CPF VJG $QTFGT/CPCIGTFGHCWNVHKNVGTUUJQWNFDNQEMCNNVTCHHKEVQCUGEQPFCT[ +2CFFTGUUQPVJGRWDNKEUKFG+VKUVJGTGHQTGPGEGUUCT[VQUGVWRVYQ HKNVGT GZEGRVKQPU HQT GCEJ UVCVKE 0#6 CFFTGUU RCKT WPNGUU UVCVGHWN HKNVGTU CTG WUGF 5KPEG UVCVGHWN HKNVGTU JCXG CFFKVKQPCN QXGTJGCF CPF [QWPQTOCNN[CTGPŏVYQTTKGFCDQWVJCEMKPIKPVQVJGUVCVKE0#6VTCHHKE HTQO KPUKFG [QWT .#0 + TGEQOOGPF WUKPI PQPUVCVGHWN HKNVGT GZEGRVKQPUYKVJUVCVKE0#6 +PCFFKVKQPVJGTGKUC TCTGUGEWTKV[GZRNQKVVJCVECPDGWUGFVQDTKPI CFFKVKQPCN RQTVU KP VJTQWIJ C UVCVGHWN HKNVGT GZEGRVKQP QPEG C UGUUKQP JCU DGGP GUVCDNKUJGF +V ECP DG UCHGT VQ EQPHKIWTG PQPUVCVGHWN GZEGRVKQPUHQTKPDQWPFVTCHHKEHTQOVJG+PVGTPGV 0QVGYou can generally use BorderManager 3.x generic TCP and UDP proxies as an alternative to Static NAT. In this case, the only difference in the filter exceptions would be to change the source/destination IP addresses from the internal IP address of the host to the public IP address of the proxy. You would also need to specify access rules, and the BorderManager PROXY.NLM would have to be running. Some types of traffic (POP3, NNTP, SMTP, etc.) cannot be done with BorderManager Generic proxies if a dedicated proxy is provided. (E.g. Mail Proxy must be used for SMTP and POP3).
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 155
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Citrix WinFrame %KVTKZ9KP(TCOGJQUVUECPDGCEEGUUGFD[VYQFKHHGTGPVENKGPVV[RGU GCEJ TGSWKTKPI VJGKT QYP RCTVKEWNCT FGUVKPCVKQP RQTV PWODGT 6JG GZCORNGU UJQYP YKNN CNNQY KPDQWPF EQPPGEVKQPU HTQO DQVJ C UVCPF CNQPG%KVTKZ+%# +PFGRGPFGPV%QORWVKPI#TEJKVGEVWTGENKGPVCPFC DTQYUGTDCUGFUPCRKPENKGPV
Figure 7-1 - Filter Exception for Inbound Citrix ICA Client
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPFVTCHHKEHTQO VJG %KVTKZ +%# ENKGPV VQ CP KPVGTPCN %KVTKZ 9KP(TCOG JQUV VJTQWIJ UVCVKE0#6
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU[QWT%KVTKZUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 156
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-2 - Filter Exception for Outbound Citrix ICA Client Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF TGVWTP TGURQPUGU HTQO VJG KPVGTPCN %KVTKZ 9KP(TCOG JQUV VQ CP GZVGTPCN %KVTKZ+%#ENKGPV 0QVGVJCVVJG#%-DKVHKNVGTKPIJCUDGGPGPCDNGF • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU 5QWTEG+2#FFTGUU[QWT%KVTKZUGTXGTKPVGTPCNCFFTGUU
0QVGCitrix needs the altaddr /set x.x.x.x command to be used, plus a correct default route specified, in order to be accessible over static NAT. See your Citrix documentation on the use of the altaddr command.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 157
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-3 - Filter Exception for Inbound Citrix Browser-based Client
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPFVTCHHKEHTQO VJG %KVTKZ DTQYUGTDCUGF ENKGPV VQ CP KPVGTPCN %KVTKZ 9KP(TCOG /GVC(TCOGJQUVVJTQWIJUVCVKE0#6
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP+2#FFTGUU[QWT%KVTKZUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 158
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-4 - Filter Exception for Outbound Citrix Browser-based Client Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF TGVWTP VTCHHKE HTQO CP KPVGTPCN %KVTKZ 9KP(TCOG /GVC(TCOG JQUV VQ CP GZVGTPCN%KVTKZDTQYUGTDCUGFENKGPV
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT%KVTKZUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 159
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
FTP (62 VJTQWIJ C 5VCVKE 0#6 EQPPGEVKQP UJQWNF DG FQPG YKVJ CP KPDQWPFPQPUVCVGHWNGZEGRVKQP HQTRQTVUCPFCPFQPGQTVYQ QWVDQWPFPQPUVCVGHWNGZEGRVKQPUVQCNNQYVJGTGURQPUGRCEMGVU 6JGVGUVKPIYCUFQPGWUKPIEQOOCPFRTQORV(62KP9KPFQYU CPF%WVG(62VQC0GV9CTG0QXQP[Z(62UGTXGT
Figure 7-5 - Filter Exception for Inbound FTP Control and Data Ports
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG KU CNN VJCV YCU PGGFGF HQT %WVG(62CPFEQOOCPFNKPG(62VQOCMGKPDQWPFEQPPGEVKQPUCPF VTCPUHGTFCVC 6JKU EWUVQO HKNVGT GZEGRVKQP WUGU C UQWTEG KPVGTHCEG QH VJG $QTFGT/CPCIGTRWDNKEKPVGTHCEGCPFCFGUVKPCVKQPKPVGTHCEGQHVJGCP[ KPVGTHCEG CP[ UQWTEG +2 CFFTGUU CPF C FGUVKPCVKQP +2 CFFTGUU QH VJG KPVGTPCNUVCVKE0#6(62UGTXGT
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTVU &GUVKPCVKQP+2#FFTGUU[QWT(62UGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 160
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-6 - Filter Exception for Outbound FTP Control Port Responses
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJG(62EQPVTQNRQTV TGURQPUGU DCEM HTQO CP KPVGTPCN (62 UGTXGT XKC C 5VCVKE 0#6 EQPPGEVKQP 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT(62UGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 161
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-7 - Filter Exception to Allow Outbound FTP Data Port Responses
6JG HKNVGT GZEGRVKQPUJQYP KP (KIWTG CNNQYUQWVDQWPF (62 FCVC TGURQPUGUHTQOCPKPVGTPCN(62UGTXGT 0QVGVJCV#%-DKVHKNVGTKPIJCU016DGGPGPCDNGF • 5QWTEG+PVGTHCEG2TKXCVG • &GUVKPCVKQP+PVGTHCEG2WDNKE • 2TQVQEQN6%2 • 5QWTEGRQTVU • &GUVKPCVKQPRQTV • 5QWTEG+2#FFTGUU[QWT(62UGTXGTKPVGTPCNCFFTGUU #PCNVGTPCVKXGVQJCXKPIVYQHKNVGTGZEGRVKQPUHQTQWVDQWPFRQTVU CPF YQWNF DG VQ JCXG C UKPING GZEGRVKQP HQT UQWTEG RQTVU DWV PQV GPCDNG #%- DKV HKNVGTKPI QP KV +H [QW GPCDNGF #%- DKV HKNVGTKPIQPQWVDQWPFUQWTEGRQTV[QWT(62FCVCEQPPGEVKQPUYKNN HCKN
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 162
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
GroupWise Remote Client 5JQWNF [QW FGUKTG VQ OCMG C )TQWR9KUG ENKGPVUGTXGT EQPPGEVKQP WUKPIVJG)TQWR9KUG4GOQVG%NKGPVKPUVGCFQHWUKPI9GD#EEGUUQT 212[QWECPUGVWR5VCVKE0#6DGVYGGPCUGEQPFCT[+2CFFTGUUQP VJG$QTFGT/CPCIGTRWDNKEKPVGTHCEGCPFCPKPVGTPCN)TQWR9KUG21# UGTXGT0GZVCNNQY6%2FGUVKPCVKQPRQTVKPCPFVJGTGURQPUGU DCEMQWVYKVJVJGHQNNQYKPIVYQHKNVGTGZEGRVKQPU
Figure 7-8 - Filter Exception for Inbound GroupWise Remote Client
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPF)TQWR9KUG 4GOQVGENKGPVVTCHHKEVJTQWIJUVCVKE0#6VQVJGJQUVURGEKHKGF CVVJG FGUVKPCVKQP+2CFFTGUU • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP +2 #FFTGUU [QWT )TQWR9KUG 21# KPVGTPCN CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 163
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-9 - Filter Exception for Outbound GroupWise Remote Client Responses
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUQWVDQWPF)TQWR9KUG 4GOQVG%NKGPVTGURQPUGUHTQOCPKPVGTPCNJQUVCVVJGURGEKHKGFUQWTEG +2CFFTGUUVQTGURQPFVQKPDQWPFTGSWGUVU 0QVGVJCVVJG#%-DKVJCUDGGPUGV
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT)TQWR9KUG21#KPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 164
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
GroupWise Web Access Spell Check 9GD#EEGUU YJGVJGT RTQXKFGF XKC 5VCVKE 0#6 QT 4GXGTUG *662 2TQZ[WUGUCFKHHGTGPVRQTVPWODGTHQTVJGURGNNEJGEMHWPEVKQP0QVG VJCVKH[QWWUGTGXGTUG*6622TQZ[HQT9GD#EEGUU[QWOWUVWUGC )GPGTKE6%22TQZ[HQTVJGURGNNEJGEMHWPEVKQP 6JKU GZCORNG KU HQT )TQWR9KUG 'PJCPEGOGPV 2CEM 9GD#EEGUU YJKEJWUGUVJG%QNNGZKQPURGNNEJGEMCRRNKECVKQP%QNNGZKQPFGHCWNVU VQNKUVGPKPIQP6%2FGUVKPCVKQPRQTV#UWUWCNHQT5VCVKE0#6 VYQ GZEGRVKQPU CTG PGGFGF QPG HQT KPDQWPF VTCHHKE CPF QPG HQT QWVDQWPFTGURQPUGU
Figure 7-10 - Filter Exception for Inbound Collexion Spell Check Requests
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPFURGNNEJGEM VTCHHKE VJTQWIJ UVCVKE 0#6 QP VJG UVCPFCTF RQTV PWODGT WUGF D[ %QNNGZKQPVQCURGNNEJGEMCIGPVCVVJGURGEKHKGFKPVGTPCNFGUVKPCVKQP +2CFFTGUU • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTVU &GUVKPCVKQP +2 #FFTGUU [QWT %QNNGZKQP UGTXGT KPVGTPCN CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 165
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-11 - Filter Exception for Outbound Collexion Spell Check Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF URGNN EJGEM TGURQPUGU HTQO VJG %QNNGZKQP URGNN EJGEM CRRNKECVKQP TWPPKPI QPCPKPVGTPCNOCKNUGTXGTCVVJGURGEKHKGFUQWTEG+2CFFTGUU 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF • • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV #%-$KV(KNVGTKPI'PCDNGF 5QWTEG +2 #FFTGUU [QWT %QNNGZKQP 9GD#EEGUU UGTXGT KPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 166
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
IMAP +/#2 KU C OCKN CEEGUU RTQVQEQN 6JG HQNNQYKPI RCKT QH HKNVGT GZEGRVKQPU CNNQYU C WUGT QP VJG +PVGTPGV VQ CEEGUU CP KPVGTPCN OCKN UGTXGTWUKPI+/#2RTQVQEQN
Figure 7-12 - Filter Exception for Inbound IMAP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPDQWPF +/#2 VTCHHKEVJTQWIJUVCVKE0#6VQCPKPVGTPCNOCKNUGTXGTCVVJGURGEKHKGF FGUVKPCVKQP+2CFFTGUU
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP+2#FFTGUU[QWT+/#2UGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 167
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-13 - Filter Exception for Outbound IMAP Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF +/#2 TGURQPUGUHTQOCOCKNUGTXGTCVVJGURGEKHKGFUQWTEG+2CFFTGUU 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT+/#2UGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 168
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Lotus Notes Clients 6JKUHKNVGTGZEGRVKQPECPDGWUGFVQCNNQY.QVWU0QVGUENKGPVU QPVJG +PVGTPGV VQ EQOOWPKECVG YKVJ C .QVWU 0QVGU UGTXGT VJTQWIJ C UVCVKE 0#6EQPPGEVKQP
Figure 7-14 - Filter Exception for Inbound Lotus Notes Client
6JGHKNVGTGZEGRVKQPKP(KIWTGCNNQYUKPDQWPF.QVWU0QVGUENKGPV VTCHHKEVJTQWIJUVCVKE0#6VQC0QVGUUGTXGTCVVJGURGEKHKGFKPVGTPCN +2CFFTGUU
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP+2#FFTGUU[QWT0QVGUUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 169
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-15 - Filter Exception for Outbound Lotus Notes Client Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN .QVWU 0QVGUUGTXGTCVVJGURGEKHKGFUQWTEG+2CFFTGUUVQTGURQPFVQKPDQWPF 0QVGU%NKGPVVTCHHKE 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT0QVGUUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 170
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Microsoft Terminal Server 6JKU RCKT QH GZEGRVKQPU CNNQYU [QW VQ EQPPGEV VQ C /KETQUQHV 9KPFQYU6GTOKPCN5GTXGTXKC5VCVKE0#6
Figure 7-16 - Filter Exception for Inbound Microsoft Terminal Server
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPF/KETQUQHV 6GTOKPCN 5GTXGT ENKGPV TGSWGUVU VJTQWIJ 5VCVKE 0#6 VQ CP KPVGTPCN 6GTOKPCN5GTXGTCVVJGURGEKHKGFFGUVKPCVKQP+2CFFTGUU • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTVU &GUVKPCVKQP +2 #FFTGUU [QWT 6GTOKPCN 5GTXGT KPVGTPCN CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 171
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-17 - Filter Exception for Outbound Terminal Server Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN /KETQUQHV 6GTOKPCN 5GTXGT CV VJG URGEKHKGF UQWTEG +2 CFFTGUU VQ TGURQPFVQKPDQWPFENKGPVTGSWGUVU 0QVGVJCV#%-DKVHKNVGTKPIKUGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT6GTOKPCN5GTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 172
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
pcANYWHERE 6JKU GZCORNG EQXGTU RE#0;9*'4' XGTUKQPU VJTQWIJ TWPPKPIHTQOC9KPFQYU2%VQC9KPFQYU06UGTXGTTWPPKPI RE#0;9*'4' XGTUKQP 6JG UCOG GZEGRVKQPU OC[ YQTM YKVJ CNNQVJGTXGTUKQPUQHRE#0;9*'4' +VCRRGCTUVJCVRE#0;9*'4'XGTUKQPVTKGUVQNQECVGC6%2+2 DCUGF JQUV WUKPI 7&2 RQTV +H KV FQGUPŏV IGV CP KOOGFKCVG TGURQPUGKVYKNNCNUQVT[7&2RQTV#7&2TGURQPUGKUUGPVQWVVQ 7&2RQTV QTQP7&2RQTVKH7&2RQTVYCUWUGFKPUVGCF QHRQTV 1PEG C RE#0;9*'4' JQUV KU NQECVGF C TGURQPUG KU TGEGKXGF QP 7&2 RQTV D[ VJG QTKIKPCVKPI JQUV CPF C EQPPGEVKQP KU VJGP GUVCDNKUJGFWUKPI6%2RQTV 6JKU OGCPU VJCV QPG OGVJQF QH EQPHKIWTKPI HKNVGT GZEGRVKQPU YJKEJ YQWNFYQTMYKVJ$QTFGT/CPCIGTCNUQKUVQUGVWRHQWTFKHHGTGPV HKNVGTGZEGRVKQPU #NNQY 7&2 UQWTEG RQTVU CPF FGUVKPCVKQP RQTV YKVJ VJG UVCVKE 0#6 KPVGTPCN +2 CFFTGUU CU VJG FGUVKPCVKQP +2 CFFTGUU #NNQY 7&2 UQWTEG RQTV CPF FGUVKPCVKQP RQTVU YKVJVJGUVCVKE0#6KPVGTPCN+2CFFTGUUCUVJGUQWTEG+2CFFTGUU #NNQY 6%2 UQWTEG RQTVU CPF FGUVKPCVKQP RQTV YKVJ VJG UVCVKE 0#6 KPVGTPCN +2 CFFTGUU CU VJG FGUVKPCVKQP +2 CFFTGUU #NNQY 6%2 FGUVKPCVKQP RQTVU CPF UQWTEG RQTV YKVJVJGUVCVKE0#6KPVGTPCN+2CFFTGUUCUVJGUQWTEG+2CFFTGUU #PCNVGTPCVKXGYQWNFDGVQUGVWRCUVCVGHWNHKNVGTHQT7&2RQTV CPF CPQVJGT HQT 6%2 RQTV CPF CRRN[ KV KP VJG CRRTQRTKCVG FKTGEVKQP HTQO2WDNKEKPVGTHCEGVQ2TKXCVGKPVGTHCEG #PQVJGTCNVGTPCVKXGKUVQCNNQY7&2RQTVKPUVGCFQHKPHKNVGT GZEGRVKQPUCPFCDQXG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 173
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Locating Internal pcANYWHERE Host with UDP port 5632
Figure 7-18 - Filter Exception for Inbound pcANYWHERE Location Protocol
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU RE#0;9*'4' KPDQWPFŎNQECVKQPŏVTCHHKEVQCPKPVGTPCNRE#0;9*'4'JQUV • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN7&2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP+2#FFTGUU[QWTRE#0;9*'4'JQUVKPVGTPCN CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 174
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-19 - Filter Exception for Outbound pcANYWHERE Location Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU RE#0;9*'4' QWVDQWPFŎNQECVKQPŏVTCHHKEHTQOCPKPVGTPCNRE#0;9*'4'JQUV • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTV &GUVKPCVKQPRQTVU 5QWTEG +2 #FFTGUU [QWT RE#0;9*'4' JQUV KPVGTPCN +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 175
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Data Transfer Between pcANYWHERE Hosts using TCP port 5631 6JGRTGXKQWUGZCORNGUJQYGFJQYVQUGVWR7&2HKNVGTGZEGRVKQPUVQ CNNQYCPKPVGTPCNRE#0;9*'4'JQUVVQDGHQWPFHTQOVJG+PVGTPGV 1PEGVJGJQUVKUNQECVGFC6%2EQPPGEVKQPWUKPIRQTVOWUVDG GUVCDNKUJGFVQCEVWCNN[RGTHQTOVJGTGOQVGEQPVTQNHWPEVKQPU
Figure 7-20 - Filter Exception for Inbound pcANYWHERE Data
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPDQWPF RE#0;9*'4' FCVC VQ VJG KPVGTPCN RE#0;9*'4' JQUV VJTQWIJ UVCVKE0#6 • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP+2#FFTGUU[QWTRE#0;9*'4'JQUVKPVGTPCN +2CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 176
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-21 - Filter Exception for Outbound pcANYWHERE Data Responses
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUQWVDQWPFFCVCHTQO VJG KPVGTPCN RE#0;9*'4' JQUV WUKPI RTQVQEQN 6%2 UQWTEG RQTV FGUVKPCVKQPRQTVUCPFCUQWTEG+2CFFTGUUGSWCNVQ VJG UVCVKE 0#6 KPVGTPCN +2 CFFTGUU QH VJG KPVGTPCN RE#0;9*'4' JQUV • • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG +2 #FFTGUU [QWT RE#0;9*'4' JQUV KPVGTPCN +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 177
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Alternative - Locating Internal pcANYWHERE Host with UDP port 22 +HHQTUQOGTGCUQP[QWECPPQVQTFQPQVYKUJVQCNNQY7&2RQTV KPCPFQWVQH[QWTPGVYQTM[QWECPHQNNQYVJGUGGZCORNGUHQTWUKPI 7&2RQTVKPUVGCF QTKPCFFKVKQPVQ
Figure 7-22 - Filter Exception for Inbound Older pcANYWHERE Location Protocol
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG UJQYU CP CNVGTPCVKXG VQ CNNQYKPI7&2RQTV+VCNNQYUKPDQWPF NQECVKQP VTCHHKEWUKPIVJG QDUQNGVGRE#0;9*'4'7&2RQTVVQCPKPVGTPCNRE#0;9*'4' JQUVVJTQWIJUVCVKE0#6 • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN7&2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP+2#FFTGUU[QWTRE#0;9*'4'JQUVKPVGTPCN +2CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 178
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-23 - Filter Exception for Outbound Older pcANYWHERE Location Protocol Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG UJQYU VJGUGEQPF JCNH QH VJG 7&2 RQTV CNVGTPCVKXG +V CNNQYU QWVDQWPFVTCHHKE WUKPI VJG QDUQNGVG RE#0;9*'4' NQECVKQP RTQVQEQN 7&2 RQTV HTQO CP KPVGTPCNRE#0;9*'4'JQUV • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN7&2 5QWTEGRQTV &GUVKPCVKQPRQTVU 5QWTEG +2 #FFTGUU [QWT RE#0;9*'4' JQUV KPVGTPCN CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 179
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
POP3 6JGHQNNQYKPIGZCORNGUJQYUJQYVQCNNQY212OCKNVTCHHKEVQDG TGSWGUVGF D[ C JQUV QP VJG +PVGTPGV VQ CP KPVGTPCN OCKN UGTXGT WUKPI UVCVKE0#6
Figure 7-24 - Filter Exception for Inbound POP3 Requests to Internal Mail Server
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPF212OCKN TGSWGUVUVQCPKPVGTPCNJQUVCV+2CFFTGUU • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP +2 #FFTGUU [QWT 212OCKN UGTXGTKPVGTPCN +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 180
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-25 - Filter Exception for Outbound POP3 Responses from Internal Mail Server
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN OCKN UGTXGTCV+2CFFTGUUVQUGPF212TGRNKGU 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU 5QWTEG +2 #FFTGUU [QWT 212 OCKN UGTXGT KPVGTPCN +2 CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 181
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
SMTP 6JGHQNNQYKPIGZCORNGUUJQYJQYVQCNNQY5/62OCKNVTCHHKEVQCPF HTQO CP KPVGTPCN 5/62 OCKN UGTXGT WUKPI UVCVKE 0#6 +V KU QHVGP C IQQF KFGC VQ HWTVJGT TGUVTKEV VJKU UVCVKE 0#6 VTCHHKE VQ QPN[ CNNQY EQOOWPKECVKQPUDGVYGGPVJGKPVGTPCNJQUVCPFVJG+52 UOCKNUGTXGT
+HVJG+52JCUOWNVKRNGOCKNUGTXGTUUGVWRHKNVGTGZEGRVKQPUHQTGCEJ QH VJGKT OCKN UGTXGT +2 CFFTGUUGU 4GUVTKEVKPI 5/62 VTCHHKE VQ QPN[ VJG +52 U OCKN UGTXGTU YKNN JGNR RTGXGPV UQOGQPG HTQO WUKPI [QWT OCKNUGTXGTCUCOCKNTGNC[JQUV HQTURCOOKPIRWTRQUGU ;QWT5/62OCKNUGTXGTOKIJVCNUQPGGFVQOCMG&05SWGTKGUCPF FGRGPFKPI QP JQY [QW JCXG &05 UGTXKEGU UGV WR QP [QWT PGVYQTM [QW OC[ CNUQ PGGF VQ CFF QWVDQWPF &05 HKNVGT GZEGRVKQPU QPG QWVDQWPF RNWU QPG TGVWTP VTCHHKE GZEGRVKQP HQT VJG KPVGTPCN 5/62 UGTXGT+2CFFTGUU
Figure 7-26 - Filter Exception for Inbound SMTP
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP[QPG VQ UGPF 5/62 RQTV OCKN VQ VJG KPVGTPCN 5/62 OCKN UGTXGT CV 6JKU HKNVGT GZEGRVKQP CNNQYU RTQVQEQN 6%2 YKVJ CP[ UQWTEGRQTVCPFCFGUVKPCVKQPRQTVQHVQCFGUVKPCVKQP+2CFFTGUUUGV VQVJGUVCVKE0#6KPVGTPCN+2CFFTGUUWUGFD[CP5/62OCKNUGTXGT • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 182
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
• • •
November 30, 2001
5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP +2 #FFTGUU [QWT 5/62 OCKN UGTXGT KPVGTPCN CFFTGUU
0QVGHere is where you might want to add your ISP's mail server IP address as a Source IP address.
Figure 7-27 - Filter Exception for Outbound SMTP Responses
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJG5/62OCKNJQUV VQTGURQPFVQ5/62TGSWGUVUEQOKPIKP6JKUHKNVGTGZEGRVKQPCNNQYU RTQVQEQN 6%2 YKVJ UQWTEG RQTV CPF C FGUVKPCVKQP RQTV TCPIG QH HTQOCUQWTEG+2CFFTGUUGSWCNVQVJGUVCVKE0#6KPVGTPCN +2 CFFTGUU QH CP 5/62 OCKN UGTXGT 5GV VJG FGUVKPCVKQP +2 CFFTGUU GSWCN VQ VJG 5/62 UGTXGT QH [QWT +52 KH [QW YCPV VQ CNNQY EQOOWPKECVKQPUQPN[VQ[QWT+52 UOCKNUGTXGT U 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT5/62UGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 183
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-28 - Filter Exception for Outbound SMTP
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJGKPVGTPCN5/62 OCKNUGTXGTVQUGPF5/62OCKN2NGCUGQDUGTXGVJCVVJGHKNVGTKUCNUQ CRRNKGFVQVJGKPVGTPCN+2CFFTGUUCPFPQVVJGRWDNKE+2CFFTGUUECNNGF QWVKPVJGUVCVKE0#6VCDNG6JGHKNVGTGZEGRVKQPCNNQYURTQVQEQN6%2 YKVJCP[UQWTEGRQTVCPFCFGUVKPCVKQPRQTVQHHTQOCP+2CFFTGUU UGVVQVJGUVCVKE0#6KPVGTPCN+2CFFTGUUQHCP5/62UGTXGT • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV &GUVKPCVKQP +2 #FFTGUU [QWT 5/62 UGTXGT KPVGTPCN CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 184
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-29 - Filter Exception for Inbound SMTP Responses
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUVJGKPVGTPCN5/62 OCKN JQUVVQ TGEGKXG TGURQPUGUVQ 5/62 TGSWGUVU EQOKPI IQKPI QWV 6JKUHKNVGTGZEGRVKQPCNNQYURTQVQEQN6%2YKVJUQWTEGRQTVCPFC FGUVKPCVKQPRQTVTCPIGQHHTQOCP[UQWTEG+2CFFTGUUCPF VQCFGUVKPCVKQPUQWTEG+2CFFTGUUGSWCNVQVJGUVCVKE0#6KPVGTPCN+2 CFFTGUUQHCP5/62OCKNUGTXGT5GVVJGUQWTEG+2CFFTGUUGSWCNVQ VJG 5/62 UGTXGT QH [QWT +52 KH [QW YCPV VQ CNNQY EQOOWPKECVKQPU QPN[VQ[QWT+52 UOCKNUGTXGT U • • • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF &GUVKPCVKQP +2 #FFTGUU [QWT 5/62 UGTXGT KPVGTPCN CFFTGUU
0QVGIf you are using GWIA for your SMTP mail server, you need to put a ROUTE.CFG file in the DOMAIN\WPGATE\GWIA directory. Check the Novell Knowledgebase for details on this.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 185
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
VNC 80%KUCHTGGQRGPUQWTEGTGOQVGEQPVTQNRTQITCOVJCVECPDG TWP QPCXCTKGV[QHRNCVHQTOU5GGhttp://www.uk.research.att.com/vnc. 6JKU GZCORNG UJQYU JQY VQ CNNQY 80% VQ CP KPVGTPCN JQUV VJTQWIJ 5VCVKE0#67RVQ80%EQPUQNGUGUUKQPUCVQPEGCTGCNNQYGF
Figure 7-30 - Filter Exception for Inbound VNC Console Connections 1-10
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPDQWPF 80% 8KGYGTVTCHHKEVJTQWIJUVCVKE0#6VQCPKPVGTPCNJQUVCVVJGURGEKHKGF FGUVKPCVKQP+2CFFTGUU
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTVU &GUVKPCVKQP+2#FFTGUU[QWT80%UGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 186
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-31 - Filter Exception for Outbound VNC Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN 80% UGTXGTCVVJGURGEKHKGFUQWTEG+2CFFTGUUVQTGURQPFVQKPDQWPF80% 8KGYGTTGSWGUVU 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWT80%UGTXGTKPVGTPCNCFFTGUU
0QVGShould you wish to make your internal VNC host accessible via web browser, you will also need to allow TCP destination ports 5800-5809, and TCP destination port 80 in, and the appropriate responses out. (TCP destination port 80 could be allowed via filter exceptions or reverse proxy).
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 187
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Web Servers +H [QW ECPPQV WUG 4GXGTUG 2TQZ[ VQ OCMG CP KPVGTPCN YGD UGTXGT CXCKNCDNG VQ VJG +PVGTPGV VJG HQNNQYKPI GZCORNG YKNN OCMG C YGD UGTXGTCEEGUUKDNGXKCUVCVKE0#6#PCFFKVKQPCNRCKTQHGZEGRVKQPUHQT *662555. 6%2FGUVKPCVKQPRQTVOKIJVCNUQDGTGSWKTGF 1PGTGCUQPVQWUGUVCVKE0#6KPUVGCFQHTGXGTUGRTQZ[KUVJCVUQHVYCTG XKTVWCN YGD UGTXGTU OWNVKRNG YGD UGTXGTU UJCTKPI VJG UCOG +2 CFFTGUUCTGPQVUWRRQTVGFYKVJ4GXGTUG2TQZ[
HTTP to Internal Web Server
Figure 7-32 - Filter Exceptions for Inbound HTTP to Web Server
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUKPDQWPFYGDVTCHHKE QPVJGUVCPFCTF*662RQTVPWODGTVJTQWIJUVCVKE0#6VQCPKPVGTPCN YGDUGTXGTCVVJGURGEKHKGFFGUVKPCVKQP+2CFFTGUU
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU[QWTYGDUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 188
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-33 - Filter Exception for Outbound HTTP Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU CP KPVGTPCN YGD UGTXGTCVVJGURGEKHKGFUQWTEG+2CFFTGUUVQTGURQPFVQ*662TGSWGUV QPVJGUVCPFCTFRQTV 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWTYGDUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 189
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
HTTPS /SSL to Internal Web Server
Figure 7-34 - Filter Exception for Inbound HTTPS / SSL
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYUKPDQWPF *6625 55. VTCHHKE VJTQWIJ UVCVKE 0#6 VQ CP KPVGTPCN JQUV CV VJG URGEKHKGF FGUVKPCVKQP+2CFFTGUU
• • • • • •
5QWTEG+PVGTHCEG2WDNKE &GUVKPCVKQP+PVGTHCEG2TKXCVG 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTV &GUVKPCVKQP+2#FFTGUU[QWTYGDUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 190
Chapter 7 - Example Inbound Filter Exceptions Using Static NAT
November 30, 2001
Figure 7-35 - Filter Exception for Outbound HTTPS Responses
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU *6625 55. TGURQPUGUHTQOCPKPVGTPCNJQUVCVVJGURGEKHKGFUQWTEG+2CFFTGUUVQ KPDQWPFTGSWGUVU 0QVGVJCV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • •
5QWTEG+PVGTHCEG2TKXCVG &GUVKPCVKQP+PVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTV &GUVKPCVKQPRQTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU[QWTYGDUGTXGTKPVGTPCNCFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 191
Chapter 8 - BorderManager 2.1 – Stateful Filters Alternative
November 30, 2001
Chapter 8 BorderManager 2.1 – Stateful Filters Alternative /CP[QHVJGGZCORNGUQHHKNVGTGZEGRVKQPUCUUWOGVJGWUGQHUVCVGHWN HKNVGTU 5KPEG $QTFGT/CPCIGT FQGU PQV KPENWFG UVCVGHWN HKNVGTKPI ECRCDKNKV[ [QW OWUV EQPHKIWTG CFFKVKQPCN GZEGRVKQPU VQ IGV VJKPIU YQTMKPI $QTFGT/CPCIGT FQGU PQV KPENWFG UVCVGHWN HKNVGT ECRCDKNKV[ #%- HKNVGT ECRCDKNKV[ QT VJG URGEKCN (622146 (62 2#58 CPF (6221462#58 HKNVGTU +P IGPGTCN [QW YKNN GPF WR PGGFKPIVQUGVWRC&[PCOKE6%2QT&[PCOKE7&2HKNVGTGZEGRVKQP VQ CNNQY VJG JKIJ RQTVU KPVQ [QWT PGVYQTM UQ VJCV TGURQPUGU VQ QWVDQWPFSWGTKGUCTGPQVHKNVGTGFCUVJG[TGVWTP (QT GZCORNG [QW YKUJ VQ CNNQY QWVDQWPF &05 TGSWGUVU HTQO CP[ KPVGTPCN JQUV VQ CP GZVGTPCN &05 UGTXGT JQUVGF CV [QWT +52 5Q [QW HKTUV UGV WR C UKORNG &05 HKNVGT GZEGRVKQP CNNQYKPI QWVDQWPF FGUVKPCVKQP RQTV QXGT 7&2 9KVJ F[PCOKE 0#6 GPCDNGF [QWT KPVGTPCNJQUVUECPUGPFVJGKT&05TGSWGUVUQWV*QYGXGTVJG[PGXGT IGVCTGURQPUG 6JGTGCUQPKUVJCVVJGJQUVKUUGPFKPIQWVTGSWGUVUVQFGUVKPCVKQP7&2 RQTV DWV VJG TGSWGUV KU UGPV QWV YKVJ C TCPFQON[EJQUGP JKIJ UQWTEGRQTVNGVŏUUC[RQTV;QWTJQUVGZRGEVUVQUGGCTGRN[VQ VJCV FGUVKPCVKQP RQTV YJGP C TGVWTP RCEMGV EQOGU DCEM 1WVDQWPF UQWTEG RQTV FGUVKPCVKQP RQTV +PDQWPF TGRN[ VTCHHKE UQWTEGRQTVFGUVKPCVKQPRQTV 6JG QTKIKPCVKPI JQUV 2% YKNN RKEM C ŎJKIJŏ RQTV PWODGT CV TCPFQO CPF VJCV RQTV PWODGT ECP DG CP[YJGTG DGVYGGP RQTV CPF RQTV ;QW VJGTGHQTGOWUV UGVWR C &[PCOKE 7&2HKNVGTGZEGRVKQPQP [QWT 2WDNKE +2 CFFTGUU VQ CNNQY CNN RCEMGVU DGVYGGP RQTV CPF RQTV KPVQ [QWT PGVYQTM ;QW EQWNF UGV WR QPG HKNVGT GZEGRVKQP CNNQYKPI#P[UQWTEGRQTVQTTGUVTKEVVJGUQWTEGRQTVVQRQTVQPN[ 4GUVTKEVKPI VJG UQWTEG RQTV VQ URGEKHKE RQTV PWODGTU YKNN GPJCPEG UGEWTKV[DWVKVYKNNCNUQTGSWKTG[QWVQUGVWRCPGY&[PCOKE7&2 QT Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 192
Chapter 8 - BorderManager 2.1 – Stateful Filters Alternative
November 30, 2001
&[PCOKE6%2GZEGRVKQPHQTGCEJQWVDQWPFRQTVPWODGT[QWYKUJVQ CNNQY 6JGDGUVUGEWTKV[WUKPIRCEMGVHKNVGTGZEGRVKQPUKP$QTFGT/CPCIGT HQT KPDQWPF VTCHHKE YKNN DG VQ UGV WR KPFKXKFWCN HKNVGT GZEGRVKQPU HQT GCEJV[RGQHTGVWTPVTCHHKE5RGEKH[VJGUQWTEGRQTV WUWCNN[VJGUCOG CU VJG FGUVKPCVKQP RQTV QH VJG QWVIQKPI VTCHHKE CU YGNN CU C TCPIG QH FGUVKPCVKQP RQTVU HTQO +P CFFKVKQP YJGP VJG VTCHHKE KU KPVGPFGFQPN[VQIQVQCPFHTQOMPQYPJQUVUCFFCUQWTEG+2CFFTGUU VQVJGHKNVGT#PGZCORNGYQWNFDGVQCNNQY5/62TGVWTPVTCHHKEQPN[ HTQO 6%2 UQWTEG RQTV FGUVKPCVKQP RQTVU CPF UQWTEG +2 CFFTGUU GSWCN VQ [QWT +52 U OCKN UGTXGT +2 CFFTGUU 6JKU YKNN TGSWKTGCUGRCTCVGHKNVGTGZEGRVKQPHQTGCEJOCKNUGTXGTWUGFCVVJG+52 6JKU UJQTV GZCORNG CNUQ CFFTGUUGU QPN[ TGVWTP VTCHHKE KP CP 5/62 EQPXGTUCVKQP PQV KPDQWPF 5/62 OCKN KVUGNH +PDQWPF 5/62 OCKN YQWNF TGSWKTG CPQVJGT UGV QH HKNVGT GZEGRVKQPU HQT GCEJ QH VJG +52 U OCKNUGTXGTUWUKPI6%2FGUVKPCVKQPRQTVCPFTGSWKTKPIVJGUQWTEG RQTVU VQ DG KP VJG TCPIG QH 1PG DGIKPU VQ UGG VJCV $QTFGT/CPCIGTHKNVGTGZEGRVKQPUIGVVQDGEQORNGZKPVJGCDUGPEG QH UVCVGHWN HKNVGTU CU UGXGTCN TGNCVGF HKNVGT GZEGRVKQPU CTG PGGFGF VQ CNNQY VTCHHKE QWV CPF QPN[ VJG FGUKTGF TGVWTP VTCHHKE DCEM KP -GGR IQQFPQVGU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 193
Chapter 8 - BorderManager 2.1 – Stateful Filters Alternative
November 30, 2001
Generic Exception for TCP Return Traffic +H [QW FQ PQV YCPV VQ UGV WR KPFKXKFWCN HKNVGT GZEGRVKQPU VQ CNNQY TGVWTP6%2VTCHHKEHQTGCEJCRRNKECVKQPVJTQWIJ$QTFGT/CPCIGT [QW ECPUGVWRCUKPINGHKNVGTGZEGRVKQPVJCVYKNNCNNQYCNOQUVCNNQH[QWT QWVIQKPI6%2VTCHHKEVQTGEGKXGCTGURQPUG
Figure 8-1 - Generic TCP Filter Exception to Allow All Return Traffic
#RRN[ VJG DWKNVKP &[PCOKE6%2 HKNVGT FGHKPKVKQP VQ CNNQY CNN 6%2 JKIJ RQTVU 6JKU HKNVGT GZEGRVKQP CNNQYU FGUVKPCVKQP 6%2 RQTVU CNNUQWTEGRQTVUYKVJCUQWTEGKPVGTHCEGVJGRWDNKEKPVGTHCEG CPFCFGUVKPCVKQPKPVGTHCEGVJGRTKXCVGKPVGTHCEG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 194
Chapter 8 - BorderManager 2.1 – Stateful Filters Alternative
November 30, 2001
Generic Exception for UDP Return Traffic +H [QW FQ PQV YCPV VQ UGV WR KPFKXKFWCN HKNVGT GZEGRVKQPU VQ CNNQY TGVWTP7&2VTCHHKEHQTGCEJCRRNKECVKQPVJTQWIJ$QTFGT/CPCIGT[QW ECPUGVWRCUKPINGHKNVGTGZEGRVKQPVJCVYKNNCNNQYCNOQUVCNNQH[QWT QWVIQKPI7&2VTCHHKEVQTGEGKXGCTGURQPUG
Figure 8-2 - Generic UDP Filter Exception to Allow All Return Traffic
#RRN[ VJG DWKNVKP &[PCOKE7&2 HKNVGT FGHKPKVKQP VQ CNNQY CNN 7&2 JKIJRQTVU6JKUHKNVGTGZEGRVKQPCNNQYUFGUVKPCVKQP7&2RQTVU CNNUQWTEGRQTVUYKVJCUQWTEGKPVGTHCEGVJGRWDNKEKPVGTHCEG CPFCFGUVKPCVKQPKPVGTHCEGVJGRTKXCVGKPVGTHCEG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 195
Chapter 9 - Advanced Topics
November 30, 2001
Chapter 9 - Advanced Topics 6JKU EJCRVGT KU PQV TGCNN[ HQT DGIKPPGTU Ō KV CUUWOGU VJG TGCFGT JCU WPFGTUVQQFVJGRTGXKQWUUGEVKQPUKPFGVCKN6JGUGEVKQPUJGTGCTGHQT RGQRNG YJQ YCPV VJG OQUV EQPVTQN CPF UGEWTKV[ QXGT VJGKT +PVGTPGV EQPPGEVKQPCPFTGCNN[MPQYYJCVVJGKTCRRNKECVKQPUCTGFQKPI
Basic Improvement - Enhance the Security of the Default Exceptions #UFKUEWUUGFGCTNKGTKPVJGDQQMKPVJGUGEVKQPQP#%-DKVHKNVGTKPI VJG FGHCWNV &[PCOKE6%2 HKNVGT GZEGRVKQP FQGU PQV GPCDNG #%- DKV HKNVGTKPI + DGNKGXG VJKU KU DGECWUG VJG FGHCWNV GZEGRVKQPU YGTG JGNF QXGT HTQO $QTFGT/CPCIGT YJGP #%- DKV HKNVGTKPI YCU PQV CXCKNCDNG ;QW ECPUKIPKHKECPVN[ GPJCPEG VJG UGEWTKV[ QH [QWT$QTFGT/CPCIGT UGTXGT D[ GKVJGT EQPXGTVKPI VJG GZKUVKPI &[PCOKE6%2 GZEGRVKQP VQ WUG #%- DKV HKNVGTKPI QT D[ TGRNCEKPI KV YKVJ [QWT QYP EWUVQO GZEGRVKQP
CAUTION If you change or replace the default Dynamic/TCP exception to enable ACK bit filtering, you will have to add custom filter exceptions for any inbound TCP high port connections to generic proxies, and services listening on the server’s public IP address (such as RCONAG if you want to allow that).
9J[ UJQWNF VJKU TGNCVKXGN[ UKORNG EJCPIG OCMG C FKHHGTGPEG! $GECWUGVJGTGCTGUGTXKEGUYJKEJTWPQP0GV9CTGVJCVCTGNKUVGPKPIQP VJG RWDNKE +2 CFFTGUU GU (QT KPUVCPEG VJG %5#62:;0./ WUGF HQTNQIIKPIRWTRQUGUNKUVGPUQP6%2FGUVKPCVKQPRQTV$GHQTGC RCVEJYCUKORNGOGPVGFVJGTGYCUCYC[VQCVVCEMVJCVRQTVCPFECWUG C $QTFGT/CPCIGT UGTXGT VQ #$'0& 6JG 51%-5 RTQZ[ OC[ DG NKUVGPKPI QP VJG RWDNKE +2 CFFTGUU CV RQTV 2QTVCN EQWNF DG NKUVGPKPIQPRQTVUCPF 6JG FGHCWNV &[PCOKE6%2 GZEGRVKQP CNNQYGF EQPPGEVKQPU VQ VJGUG RQTVU VQ DG OCFG HTQO VJG +PVGTPGV DGECWUG KV CNNQYGF CNN KPDQWPF VTCHHKEVQVJGRWDNKE+2CFFTGUU'PCDNKPI#%-DKVHKNVGTKPIRTGXGPVU Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 196
Chapter 9 - Advanced Topics
November 30, 2001
KPDQWPF EQPPGEVKQPU DWV CNNQYU KPDQWPF TGURQPUGU VQ EQPPGEVKQPU OCFGD[VJGRTQZKGU *GTG KU C XGT[ UJQTV FGUETKRVKQP QH JQY 6%2 EQPPGEVKQPU CTG GUVCDNKUJGF UQ VJCV [QW ECP UGG YJ[ #%- DKV HKNVGTKPI KU KORQTVCPV CPFWUGHWN6JGYC[VJCV6%2EQPPGEVKQPUCTGUGVWRKUD[YJCVECP DGTGHGTTGFVQCUC5;0Ō#%-Ō#%-RTQEGUU6JTGGRCEMGVUOWUV DG GZEJCPIGF VQ GUVCDNKUJ VJG 6%2 EQPPGEVKQP 6JG HKTUV RCEMGV GPCDNGUC5;0DKVDWVFQGUPQVJCXGVJG#%- CEMPQYNGFIGDKVUGV 6JGJQUVVJCVTGEGKXGUUWEJCRCEMGV CPFYCPVUVQUGVWRCEQPPGEVKQP QPVJGTGSWGUVGFRQTVTGVWTPUCTGURQPUGYKVJVJG#%-DKVUGVCPFC 5;0DKVCUYGNN6JGQTKIKPCNJQUV TGSWGUVKPIVJGEQPPGEVKQPUGGU VJG#%-DKV CPFQVJGTTGNCVGFHKGNFUCPFUGPFUDCEMCVJKTFRCEMGV YKVJ VJG #%- DKV UGV VQ CEMPQYNGFIG VJG EQPPGEVKQP +P VJKU YC[ GCEJJQUVJCUCEMPQYNGFIGFVJGQVJGTJQUVCPFGZEJCPIGFPGEGUUCT[ KPHQTOCVKQP KP QVJGT HKGNFU PQV FGUETKDGF JGTG UQ VJCV HWTVJGT EQOOWPKECVKQPECPVCMGRNCEG#NNHWTVJGTEQOOWPKECVKQPUDGVYGGP VJGUGJQUVUYKNNJCXGVJG#%-DKVUGV 1PN[VJGHKTUVRCEMGVUGPVFKF016JCXGCP#%-DKVUGV6JGTGHQTGKH YGYKUJVQRTGXGPVKPDQWPFEQPPGEVKQPUYGHKNVGTHQTVJGRTGUGPEGQH VJG #%- DKV 9G CNNQY EQPPGEVKQPU KP VJG QVJGT FKTGEVKQP VQ HNQY QWVYKVJQWVVJG#%-DKVUGVUQVJCVYGECPGUVCDNKUJCEQPPGEVKQP #U NQPI CU VJG EQPPGEVKQP YCU KPKVKCVGF D[ QWT JQUV YG CNNQY VJG TGVWTPTGURQPUGUUKPEGVJG[YKNNJCXGVJG#%-DKVUGV 0QVG VJCVVJG GZCORNGU KPVJKU DQQM IGPGTCNN[ WUG #%- DKV HKNVGTKPI HQTCNNTGURQPUGRCEMGVUKPVJGUVCVKE0#6GZCORNGU+PVJQUGECUGU YG CTG CEVWCNN[ CRRN[KPI #%- DKV HKNVGTKPI KP VJG TGXGTUG FKTGEVKQP CNNQYKPI KPDQWPF EQPPGEVKQPU QPN[ 6JKU CNNQYU WU VQ RTGXGPV QWT QYP KPVGTPCN JQUVU HTQO OCMKPI WPFGUKTGF QWVDQWPF EQPPGEVKQPU YJKEJEQWNFDGCUGEWTKV[TKUM
Customizing the Default Dynamic/TCP Default Filter Exception +H [QW YCPV VQ EWUVQOK\G VJG FGHCWNV F[PCOKE6%2 HKNVGT GZEGRVKQP [QWYKNNPGGFVQGFKVVJG5;5'6%>$7+.6+05HKNG ;QW UJQWNF OCMG DCEMWR EQRKGU QH VJG 5;5'6%>$7+.6+05%() CPF 5;5'6%>(+.6'45%() HKNG DGHQTG OCMKPI VJGUG EJCPIGU 5JQWNF UQOGVJKPI IQ YTQPI CPF [QW YCPV VQ RWV VJG QNF UGV QH GZEGRVKQPU DCEM KP RNCEG 70.1#& +2(.6 EQR[ VJG HKNGU DCEM KP VJGP4'+0+6+#.+<'5;56'/ 0QVGAlso, see the section in the Odds & Ends chapter called Fixing the BorderManager 3.5 POP3-ST Definition.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 197
Chapter 9 - Advanced Topics
November 30, 2001
5VGR 6JG 5;5'6%>$7+.6+05%() HKNG KU C VGZV HKNG HNCIIGF TGCFQPN[ UQ [QW OWUV HKTUV HNCI KV CU PQTOCN KP QTFGT VQ GFKV KV %JCPIGVQVJG5;5'6%FKTGEVQT[CPFGZGEWVG FLAG SYS:ETC\BUILTINS.CFG N
6JCVUJQWNFEJCPIGVJGUVCVWUVQPQTOCN 5VGR 0GZVWUGC VGZVGFKVQT 0QVGRCF YKNN FQVQEJCPIGVJG QPG NKPGKPVJGHKNGHQT&[PCOKE6%2HTQO
PROTOCOL-SERVICE IP, dynamic/tcp, pid=TCP port=1024-65535 srcport=, Dynamic Destination Ports Over TCP
VQ CFFKPIVJGVGZVCEMHKNVCUUJQYPDGNQY PROTOCOL-SERVICE IP, dynamic/tcp, pid=TCP port=1024-65535 srcport= ackfilt=1, Dynamic Destination Ports Over TCP
0QVGDo not add a comma before the ‘ackfilt=1'.
5VGR7PNQCF+2(.60./CPFVJGP4GKPKVKCNK\G5[UVGO 5VGR )Q KPVQ (+.6%()0./ UGNGEV VJG QNF FGHCWNV GZEGRVKQP CPF KH PGEGUUCT[ UGNGEV VJG &[PCOKE6%2 FGHKPKVKQP CICKP CPF UCXG VJG GZEGRVKQP +H [QW JCXG RWV KP C EWUVQOK\GF F[PCEMVER GZEGRVKQPCUUJQYPKPCPGCTNKGTUGEVKQPQHVJKUDQQMVJGPCOGQHVJG FGHKPKVKQPOC[EJCPIGYJGP[QWUCXGVJGHKNVGTGZEGRVKQP;QWOC[ PGGFVQEJGEMQVJGTHKNVGTGZEGRVKQPUCUYGNNKH[QWJCFECNNGFQWVVJG &[PCOKE6%2FGHKPKVKQPKPUQOGEWUVQOGZEGRVKQP[QWOCFGGCTNKGT $G UWTG VQ FQ UQOG VGUVKPI CHVGT OCMKPI VJKU MKPF QH EJCPIG GURGEKCNN[HQTCP[KPDQWPFVTCHHKE
CAUTION If you modify the built-in definition for the Dynamic/TCP exception, and reapply the default filters with BRDCFG, you will probably have an incomplete definition where the Dynamic/TCP exception should be. Be sure to go into FILTCFG, and review the default exceptions and be sure you have a Dynamic/TCP exception. If you do NOT modify the built-in Dynamic/TCP exception and use BRDCFG, you will end up with the original Dynamic/TCP exception, and you will need to go into FILTCFG and replace it with a custom DYN/ACK./TCP exception. Therefore, no matter what you do here, you need to review your exceptions after running BRDCFG again. If you are truly paranoid about this becoming a problem, delete or rename BRDCFG.NLM so it cannot be run.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 198
Chapter 9 - Advanced Topics
November 30, 2001
More Security - A DMZ Scenario 6JKU UGEVKQP FGUETKDGU JQY [QW OKIJV UGV WR C &/< YKVJ C UKPING $QTFGT/CPCIGTUGTXGTWUKPIVJTGGPGVYQTMECTFU #PQVJGTUEGPCTKQ YQWNF DG VQ JCXG C HKTGYCNN C &/< CPQVJGT HKTGYCNN CPF VJGP VJG KPVGTPCN .#0 ;QW OC[ YCPV VQ GORNQ[ C &/< KP CFFKVKQP VQ GPJCPEKPIVJGFGHCWNVHKNVGTGZEGRVKQPUCUGZRNCKPGFGCTNKGTQTCNQPI YKVJWUKPIEQORNGVGN[EWUVQOK\GFGZEGRVKQPUCUGZRNCKPGFNCVGT 6JG DCUKE EQPEGRV KP C 0+% UEGPCTKQ KU VJCV [QW JCXG C PGVYQTM UGIOGPVCVVCEJGFVQQPGPGVYQTMKPVGTHCEGKPC$QTFGT/CPCIGTUGTXGT YJKEJ EQPVCKPU QPG QT OQTG JQUVU VQ DG CEEGUUGF HTQO VJG +PVGTPGV
VJG&/<UGIOGPV6JGOCKPKPVGTPCNPGVYQTMUGIOGPVUKVUDGJKPF CPQVJGT PGVYQTM KPVGTHCEG 6JG OCKP PGVYQTM UGIOGPV UJQWNF PQV JCXG CP[ JQUVU VJCV ECP DG CEEGUUGF HTQO VJG +PVGTPGV 'ZVTGOGN[ NKOKVGF VTCHHKE UJQWNF DG CNNQYGF DGVYGGP VJG &/< CPF OCKP UGIOGPV UQ VJCV KH C JQUV KP VJG &/< KU EQORTQOKUGF KV FQGU PQV JCXGFKTGEVCEEGUUVQVJGOCKPUGIOGPV6TCHHKEVQCPFHTQOVJG&/< UGIOGPVKUEQPVTQNNGFVQDQVJVJG+PVGTPGVCPFOCKPUGIOGPV 6JG YC[ VQ CEEQORNKUJ VJKU IQCN KU VQ GUUGPVKCNN[ VTGCV VJG &/< PGVYQTMKPVGTHCEGECTFCUCUGEQPFRWDNKEKPVGTHCEG$NQEMCNNVTCHHKE VQ CPF HTQO VJCV KPVGTHCEG YKVJ C RCKT QH HKNVGTU CPF VJGP QRGP WR URGEKHKERQTVUWUKPIRTQZKGUCPFQTUVCVKE0#6YKVJHKNVGTGZEGRVKQPU #NN VTCHHKE DGVYGGP VJG OCKP KPVGTPCN UGIOGPV CPF VJG &/< KU CNNQYGFQPN[YKVJUVCVGHWNGZEGRVKQPUHQTVJGV[RGQHVTCHHKEFGUKTGF 6JKU UEGPCTKQ FQGU PQV NGPF KVUGNH YGNN VQ RWVVKPI UGTXGTU KP C &/< YJKEJCTGKPVJGUCOG0&5VTGGCUVJGOCKPKPVGTPCNUGIOGPVVJQWIJ KVECPDGFQPGKH[QWCTGYKNNKPIVQEQORTQOKUGUGEWTKV[UQOGYJCVD[ CNNQYKPI QPG QT OQTG &/< JQUVU VQ OCMG EGTVCKP KPDQWPF EQPPGEVKQPUVQVJGTGUVQH[QWT.#0
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 199
Chapter 9 - Advanced Topics
November 30, 2001
B O R D E R M AN AG E R 3 -N IC D M Z S C E N AR IO IP AD R E S S IN G Internet (your ISP )
P ublic interface=PU BLIC , Private interface=P RIV AT E, DM Z interface=DM Z Default route=4.3.2.1 A ll networks use C lass C subnet m ask 255.255.255.0
192.168.20.1
DMZ LAN
4.3.2.1 (255.255.255.0)
P u b lic W eb S e rve r in D M Z (S tatic N AT to 4.3.2.251)
External LAN Registered Public IP Addresses
External LAN (public)
Router
P U B L IC 4.3.2.254 4.3.2.253 4.3.2.251
DM Z 192.168.20.254 (255.255.255.0)
Internal LAN Private IP Addresses
Fire w a ll Novell BorderM anager 3.x server 3 N etwork C ards
P R IV AT E 192.168.10.252 (255.255.255.0)
192.168.10.250
Internal network (private)
W AN link to ISP
DM Z LAN Private IP Addresses
M ail S e rve r (S tatic N AT to 4.3.2.253)
Internal hosts have a default route of 192.168.10.252
P C 's
Figure 9-1 - DMZ with Three Network Cards, IP Addressing Diagram
+PVJGGZCORNGKPVJKUUGEVKQP+JCXGEQPHKIWTGFCUGTXGTYKVJVJTGG PGVYQTM ECTFU ECNNGF 27$.+% 24+8#6' CPF &/< (KIWTG UJQYUVJG+2CFFTGUUKPIWUGFHQTVJGGZCORNG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 200
Chapter 9 - Advanced Topics
November 30, 2001
Step 1 – Set Filters on the DMZ NIC +KPKVKCNN[TCPVJG$4&%()RTQITCOCICKPUVVJG+2CFFTGUUCUUKIPGF VQ 27$.+% 6JCV RTQFWEGF C UGV QH FGHCWNV HKNVGTU VJCV DNQEMGF CNN VTCHHKE VQ CPF HTQO 27$.+% YJKNG UGVVKPI WR VJG WUWCN HKNVGT GZEGRVKQPUCUYGNN 0GZV+CRRNKGF$4&%()CICKPUGNGEVKPIVJG+2CFFTGUUCUUKIPGFVQ &/< 6JKU JCF VJG GHHGEV QH CFFKPI CPQVJGT UGV QH HKNVGTU CPF GZEGRVKQPUHQTVJG&/<KPVGTHCEG (KPCNN[ + FGNGVGF CNN VJG FGHCWNV HKNVGT GZEGRVKQPU HQT VJG &/< CFFTGUUVJCVYGTGCFFGFD[$4&%()+YCUVJGTGHQTGNGHVYKVJ • • •
HKNVGTUDNQEMKPICNNVTCHHKEVQCPFHTQOVJG27$.+%KPVGTHCEG HKNVGTUDNQEMKPICNNVTCHHKEVQCPFHTQOVJG&/<KPVGTHCEG FGHCWNV GZEGRVKQPU HQT UGNGEVGF VTCHHKE VQ CPF HTQO VJG 27$.+%+2CFFTGUU
Figure 9-2 - Filters Applied for PUBLIC and DMZ Interfaces
+P VJG GZCORNG UJQYP KP (KIWTG [QW ECP UGG VJG HKNVGTU PQV GZEGRVKQPU YJKEJ DNQEM VTCHHKE HQT DQVJ 27$.+% CPF &/< KPVGTHCEGU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 201
Chapter 9 - Advanced Topics
November 30, 2001
Step 2 – Open Filter Exceptions for Inbound Traffic from the Internet to the DMZ +PVJKUGZCORNG+JCXGUGVWRGZEGRVKQPUHQTCUVCPFCNQPGYGDUGTXGT TGUKFKPIKPVJG&/<UGIOGPVCV+2CFFTGUU#EEGUUVQ VJG YGD UGTXGT KU DGKPI CNNQYGF VJTQWIJ UVCVKE 0#6 6JGTGHQTG *662 VTCHHKE KU DGKPI CNNQYGF KP HTQO VJG 27$.+% KPVGTHCEG VJTQWIJVJG&/<KPVGTHCEGVQ#PQVJGTHKNVGTGZEGRVKQP CNNQYUQWVDQWPF*662TGURQPUGU
Figure 9-3 - Filter Exception to Allow Inbound HTTP to DMZ Web Server from the Internet
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU KPDQWPF *662 XKC 5VCVKE0#6CETQUUVJG27$.+%KPVGTHCEGVQVJG&/<YGDUGTXGTCV+2 CFFTGUU
• • • • • • •
5QWTEG+PVGTHCEG27$.+% &GUVKPCVKQP+PVGTHCEG&/< 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTV 5QWTEG+2#FFTGUU#P[ &GUVKPCVKQP+2#FFTGUUYGDUGTXGT&/<+2CFFTGUU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 202
Chapter 9 - Advanced Topics
November 30, 2001
Figure 9-4 - Filter Exception to Allow Outbound HTTP Responses from DMZ Web Server to the Internet
6JG HKNVGT GZEGRVKQP UJQYP KP (KIWTG CNNQYU QWVDQWPF *662 TGURQPUGUHTQOC&/<YGDUGTXGTCV+2CFFTGUUVQJQUVU QPVJG+PVGTPGV#%-DKVHKNVGTKPIJCUDGGPGPCDNGF
• • • • • • • •
5QWTEG+PVGTHCEG&/< &GUVKPCVKQP+PVGTHCEG27$.+% 2TQVQEQN6%2 5QWTEG2QTV &GUVKPCVKQP2QTVU #%-$KV(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUUYGDUGTXGT&/<+2CFFTGUU &GUVKPCVKQP+2#FFTGUU#P[
Step 3 – Open Filter Exceptions for Outbound Traffic from the Internal LAN to the DMZ 6YQ UVCVGHWN HKNVGT GZEGRVKQPU CTG UGV WR VQ CNNQY *662 CPF (62 VTCHHKEHTQOVJGKPVGTPCN.#0VQVJG&/<6JGRWTRQUGQHVJG*662 GZEGRVKQP KU VQ CNNQY VJG YGD UGTXGT VQ DG UGGP HTQO VJG KPVGTPCN .#06JGRWTRQUGQHVJG(62GZEGRVKQPKUVQCNNQY(62VQDGWUGF VQRWUJYGDUKVGWRFCVGUVQVJGYGDUGTXGT 0Q QVJGT GZEGRVKQPU CTG UGV WR YJKEJ OGCPU VJCV VJG YGD UGTXGT ECPPQV KPKVKCVG CP[ EQPVCEV YKVJ VJG KPVGTPCN .#0 6JG YGD UGTXGT CNUQECPPQVKPKVKCVGCP[EQPVCEVVQVJG+PVGTPGV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 203
Chapter 9 - Advanced Topics
November 30, 2001
0QVGAll of these exceptions should call out the PRIVATE interface as a source interface, to ensure that traffic is allowed only from the internal network, and not from the Internet.
Figure 9-5 - Filter Exception to Allow HTTP to DMZ Web Server from Internal LAN
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUC2%QPVJGKPVGTPCN .#0 VQ DTQYUG VQ VJG YGD UGTXGT KP VJG &/< CV +2 CFFTGUU
• • • • • • • •
5QWTEG+PVGTHCEG24+8#6' &GUVKPCVKQP+PVGTHCEG&/< 2TQVQEQN6%2 5QWTEG2QTV &GUVKPCVKQP2QTVU 5VCVGHWN(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU#P[ &GUVKPCVKQP+2#FFTGUUYGDUGTXGT&/<+2CFFTGUU
0QVGWith the filter exceptions shown in this example, even the HTTP Proxy could not be used to browse to the web server, because the default filter exceptions set up by BRDCFG for the DMZ were deleted. In order to use the HTTP Proxy to browse to the web server, change the filter exception above to call out a source interface of 192.168.20.254 (the BorderManager server DMZ IP Address).
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 204
Chapter 9 - Advanced Topics
November 30, 2001
Figure 9-6 - Filter Exception to Allow FTP to DMZ Web Server from Internal LAN
6JGHKNVGTGZEGRVKQPUJQYPKP(KIWTGCNNQYUC2%QPVJGKPVGTPCN .#0 VQ OCMG (62 EQPPGEVKQPU VQ VJG YGD UGTXGTKPVJG &/< CV +2 CFFTGUU6JGRWTRQUGKUVQWUG(62VQRWUJWRFCVGUVQ VJGYGDUGTXGT
• • • • • • • •
5QWTEG+PVGTHCEG24+8#6' &GUVKPCVKQP+PVGTHCEG&/< 2TQVQEQN6%2 5QWTEG2QTVU &GUVKPCVKQP2QTVU 5VCVGHWN(KNVGTKPI'PCDNGF 5QWTEG+2#FFTGUU#P[ &GUVKPCVKQP+2#FFTGUUYGDUGTXGT&/<+2CFFTGUU
0QVGThe built-in ftp-port-pasv-st definition was used for this example.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 205
Chapter 9 - Advanced Topics
November 30, 2001
Most Security - Completely Customized Filter Exceptions +H [QW CTG VJG V[RG QH RGTUQP YJQ YCPVU EQORNGVG EQPVTQN QH GXGT[ RCEMGV IQKPI CETQUU [QWT $QTFGT/CPCIGT UGTXGT VJKU UGEVKQP KU HQT [QW;QWCTGVJGV[RGQHRGTUQPYJQWPFGTUVCPFUGXGT[CRRNKECVKQP VJCV YCPVU VQ CEEGUU VJG +PVGTPGV CPF CTG YKNNKPI VQ QRGP QPG QT OQTGEWUVQOGZEGRVKQPUHQTGCEJCRRNKECVKQPVQCNNQYKV;QWJCXG PQRTQDNGOFGNGVKPI#..VJGEWUVQOGZEGRVKQPUCPFFGCNKPIYKVJVJG EQPUGSWGPEGU;QWRTQDCDN[JCXGRCEMGVUPKHHKPIUQHVYCTGCPFMPQY JQY VQ WUG KV +H [QW FQPŏV IQ XKUKV http://www.ethereal.com HQT UQOGHTGGUQHVYCTG;QWCTGEQOHQTVCDNGYKVJWUKPIVJG5'66%2+2 &'$7)EQOOCPFCPFVJG5'6(+.6'4&'$7)10EQOOCPF ;QWWPFGTUVCPFJQYVQDNQEMEGTVCKPJQUVUYKVJFWOO[UVCVKETQWVGU ;QWTGCNK\GVJCV[QWYKNNJCXGVQUGVWREWUVQOGZEGRVKQPUHQT GCEJ RTQZ[ VJCV [QWGPCDNG UKPEG PQPG QHVJGO CTG IQKPI VQ YQTM KH [QW FGNGVG VJG FGHCWNV GZEGRVKQPU ;QWT WUGTU CTG WPFGT [QWT VJWOD CPF FQPQVIGV+PVGTPGVCEEGUUVJCV[QWEJQQUGPQVVQCNNQY;QWIGVVJG RQKPV ;QWECPCNUQGZRGEVVQJCXGVQFQUQOGYQTMHQTGCEJCPFGXGT[PGY CRRNKECVKQPVJCVKUVQDGCNNQYGFKPQTQWVQHVJGPGVYQTM#0&HQTCP[ PQPUVCPFCTF YGD UKVGU VJCV TGFKTGEV VJG DTQYUGT VQ C RQTV PWODGT QVJGTVJCPRQTVQT #UCUVCTVFGNGVG#..QHVJGFGHCWNVGZEGRVKQPUCFFGFD[$4&%() ;QWPQYYKNNPQVDGCDNGVQUGPFQTTGEGKXGCP[FCVC +H[QWYKUJVQD[RCUUVJGRTQZKGUWUKPIUVCVKEQTF[PCOKE0#6[QW ECPWUGVJGHKNVGTGZEGRVKQPUCUUJQYPGCTNKGT+H[QWYKUJVQWUGVJG RTQZKGU[QWOWUVUGVWRKPFKXKFWCNHKNVGTGZEGRVKQPUCUHQNNQYU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 206
Chapter 9 - Advanced Topics
November 30, 2001
Allow Outbound HTTP for the HTTP Proxy Only ;QW YKNN CNOQUV EGTVCKPN[YKUJ VQOCMG WUG QH VJG *662 2TQZ[ HQT DTQYUKPI6JGHKTUVUVGRKUVQETGCVGCUVCVGHWNHKNVGTGZEGRVKQPVQCNNQY UVCPFCTF *662 QWVDQWPF HTQO VJG RWDNKE +2 CFFTGUU QH VJG $QTFGT/CPCIGTUGTXGTQPN[
• • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQPKPVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU 5VCVGHWN'PCDNGF 5QWTEG+2#FFTGUU$QTFGT/CPCIGTRWDNKE+2CFFTGUU &GUVKPCVKQP+2#FFTGUU#P[
6JG *662 2TQZ[ ECP PQY UGPF TGSWGUVUVQ YGD UGTXGTUQP RQTV CPFTGEGKXGTGURQPUGU
Allow Outbound HTTPS / SSL for the HTTP Proxy Only 6JGHKTUVGZCORNGCNNQYGFDTQYUKPIDWVPQVDTQYUKPIVQUGEWTGYGD UKVGUYJKEJIGPGTCNN[WUG*662555.55.WUGU6%2FGUVKPCVKQP RQTV DWV WPNGUU [QW CNNQY VJCV V[RG QH VTCHHKE QWV VJG FGHCWNV HKNVGTUYKNNDNQEMKV %TGCVG C UVCVGHWN HKNVGT GZEGRVKQP VQ CNNQY UVCPFCTF *6625 55. QWVDQWPF HTQO VJG RWDNKE +2 CFFTGUU QH VJG $QTFGT/CPCIGT UGTXGT QPN[
• • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQPKPVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU 5VCVGHWN'PCDNGF 5QWTEG+2#FFTGUU$QTFGT/CPCIGTRWDNKE+2CFFTGUU &GUVKPCVKQP+2#FFTGUU#P[
6JG*6622TQZ[ECPPQYUGPFTGSWGUVUVQYGDUGTXGTUQPRQTV CPFTGEGKXGTGURQPUGU 0QVGStrictly speaking, you could also now set up a Generic TCP Proxy to use port 443 as well.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 207
Chapter 9 - Advanced Topics
November 30, 2001
Allow Non-Standard Ports Outbound for the Proxy Only 6JGVYQGZCORNGUCNNQYGFDTQYUKPIQPDQVJVJGUVCPFCTF*662CPF *6625YJKEJYKNNCNNQYVJG*6622TQZ[VQCEEGUUVJGXCUVOCLQTKV[ QH YGD UKVGU *QYGXGT OCP[ YGD UKVGU QP VJG +PVGTPGV TGFKTGEV DTQYUGTU VQ QVJGT RQTV PWODGTU (QT GXGT[ QPG QH VJGUG ECUGU [QW OC[JCXGVQHKPFQWVYJCVRQTVPWODGTUCTGDGKPIWUGFCPFFGEKFGKH [QWYCPVVQCNNQYVJQUGRQTVPWODGTUD[UGVVKPIWRCFFKVKQPCNUVCVGHWN HKNVGTGZEGRVKQPU 1PG EQOOQP RQTV PWODGT KP WUGKU #PQVJGT KU 6JGTG CTG OCP[ OQTG +H [QW YCPV VQ CNNQY VJG *662 2TQZ[ VQ CEEGUU C YGDUKVGWUKPIWUGVJGHQNNQYKPIRCTCOGVGTUKPCEWUVQOHKNVGT GZEGRVKQP
• • • • • • • •
5QWTEGKPVGTHCEG2WDNKE &GUVKPCVKQPKPVGTHCEG2WDNKE 2TQVQEQN6%2 5QWTEGRQTVU &GUVKPCVKQPRQTVU 5VCVGHWN'PCDNGF 5QWTEG+2#FFTGUU$QTFGT/CPCIGTRWDNKE+2CFFTGUU &GUVKPCVKQP+2#FFTGUU#P[
6JG*6622TQZ[ECPPQYUGPFTGSWGUVUVQYGDUGTXGTUQPRQTV CPFTGEGKXGTGURQPUGU +P C UKOKNCT OCPPGT [QW OC[ YKUJ VQ CNNQY RQTV PWODGTU HQT VJG QVJGTRTQZKGU &GUVKPCVKQP2QTV0WODGT
• • • • • • •
6%2 6%2 7&2 6%2 6%2 XCTKQWU6%2 XCTKQWU7&2
2TQZ[
/CKN2TQZ[ 0GYU2TQZ[ &052TQZ[ 4GCN#WFKQ46522TQZ[ (622TQZ[ )GPGTKE6%22TQZ[ )GPGTKE7&22TQZ[
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 208
Chapter 9 - Advanced Topics
November 30, 2001
Blocking Chat Programs +P C RTGXKQWU EJCRVGT GZEGRVKQPU YGTG UJQYP YJKEJ CNNQY XCTKQWU %JCVRTQITCOUVQEQOOWPKECVGQXGTURGEKHKE FGHCWNVRQTVPWODGTU *QYGXGT UQOG QH VJG RTQITCOU EQPVCKP RQTVUECPPKPI HGCVWTGU FGUKIPGF VQ HKPF QVJGT RQTV PWODGTU CPF WUG VJQUG KPUVGCF 6JG RTQDNGOVJGPCTKUGUVJCVKH[QWYCPVVQDNQEMVJGUGRTQITCOUCPF[QW JCXG QRGPGF CNOQUV CP[ UVCPFCTF RQTV UWEJ CU &05 [QW ECPPQV RTGXGPVVJGRTQITCOUHTQOGUVCDNKUJKPIQWVDQWPFEQOOWPKECVKQPU $GUKFGU VJG RQTV PWODGT UECPPKPI ECRCDKNKV[ OQUV %JCV RTQITCOU JCXGCHGCVWTGVQYQTMVJTQWIJCP*6622TQZ[9JKNG[QWOC[DG CDNG VQ UGV WR &GP[ #EEGUU 4WNGU VQ DNQEM VJG UKVGU KPXQNXGF VJG VGEJPKSWG UJQYP JGTG YKNN YQTM YJGVJGT QT PQV VJG *662 2TQZ[ KU EQPHKIWTGFKPVJG%JCVRTQITCOU 6JGTG KU CPQVJGT YC[ VQ DNQEM VJGUG RTQITCOU VJQWIJ KV FQGU PQV KPXQNXGHKNVGTKPI+PUVGCF[QWUGVWRCFWOO[UVCVKETQWVGHQTQPGQT OQTGETKVKECNUGTXGTUKPXQNXGF 6JG %JCV RTQITCOU TGN[ QP QPG QT OQTG EGPVTCN UGTXGTU VQ EQOOWPKECVG$[FKUEQXGTKPIVJG+2CFFTGUUGUQHVJQUGUGTXGTU[QW ECPTGFKTGEVCNNQWVDQWPFRCEMGVUVQCPKPEQTTGEVPGZVJQRYKVJCUVCVKE TQWVG ECWUKPI VJG KPKVKCN EQOOWPKECVKQPU VQ HCKN 1PG UVCVKE TQWVG OC[DGPGEGUUCT[HQTGCEJEQOOWPKECVKQPUGTXGTKPXQNXGFVJQWIJKP UQOG ECUGU [QW OC[ DG CDNG VQ TGFKTGEV CP GPVKTG UWDPGV QH UGTXGTU YKVJCUKPINGUVCVKETQWVG #P05.11-72RTQITCOUWEJCU%[DGTMKVKUWUGHWNVQFKUEQXGTCNN QH VJG +2 CFFTGUUGU CUUKIPGF HQT VJG UGTXGTU KPXQNXGF ;QW ECP IGPGTCNN[ HKPF 05.11-72 RTQITCOU RTQITCOU YKVJ &05 SWGT[ ECRCDKNKVKGUCVwww.tucows.com #U QH VJKU YTKVKPI JGTG CTG UQOG QH VJG +2 CFFTGUUGU KPXQNXGF HQT RQRWNCT%JCVRTQITCOU
CAUTION You will have to constantly check these programs to see if new server addresses have been put into use.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 209
Chapter 9 - Advanced Topics
November 30, 2001
Blocking AOL Instant Messenger (as of 11/18/2001) #1. +PUVCPV /GUUGPIGT TGNKGU QP NQIIKPI KPVQ C UGTXGT CV QUECTNQIKPCQNEQO#NN+2CFFTGUUGUCUUKIPGFVQVJKU74.OWUVDG FKUEQXGTGF CPFTGFKTGEVGFCFF C &GP[ 74. #EEGUU4WNG HQT *662 2TQZ[VQVJKU74. #1. U NQIKP UGTXGTU CTG QP VJGUG UWDPGVUCFFTGUUGU CPF4GFKTGEV VJGOKHPGEGUUCT[KHVJG#EEGUU4WNGCDQXGFQGUPQVRTGXGPVCEEGUU
Blocking MSN Messenger (as of 11/18/2001) /50 /GUUGPIGT TGNKGU QP NQIIKPI KPVQ C UGTXGT CV ICVGYC[OGUUGPIGTJQVOCKNEQO#FFC&GP[74.#EEGUU4WNGHQT *6622TQZ[VQVJKU74. #VVJGVKOGQHVJKUYTKVKPIUGTXGTUUGGOGFVQDGEJCPIKPIUQKVYKNN RTQDCDN[ DG PGEGUUCT[ VQ EQPUVCPVN[ EJGEM HQT PGY UGTXGT CFFTGUUGU UJQWNF C TGFKTGEVKQP VGEJPKSWG DGEQOG PGEGUUCT[ *QYGXGT + YCU CDNG VQ DNQEM CNN CEEGUU YKVJ VJG &GP[ 74. TWNG CDQXG CPF VJG FGHCWNVHKNVGTGZEGRVKQPU
Blocking ICQ (as of 11/18/2001) +%3 TGNKGU QP NQIIKPI KPVQ C UGTXGT NQIKPKESEQO CPF JVVRRTQZ[KESEQO 9CU KESOKTCDKNKUEQO CPF NQIKPKESEQO RTGXKQWUN[ 5VCTVD[CFFKPIC&GP[74.CEEGUUTWNGHQTVJG74.ŏUCDQXGCPFDG UWTG VJG FGHCWNV HKNVGTU CTG KP RNCEG 6JKUOC[ DG CFGSWCVGVQ DNQEM CEEGUUVQ+%3 4GFKTGEV VJG PGVYQTMU CPF JQUV #UQH0QXGODGT[QWOC[CNUQPGGFVQTGFKTGEV CV NGCUV#ICKP[QWOWUVEQPUVCPVN[VT[VQHKPFQWVYJCV +2CFFTGUUGUOC[DGKPWUGHQTVJGNQIKPUGTXGTUKHTGFKTGEVKQPUJQWNF DGEQOGPGEGUUCT[
Blocking Yahoo Messenger (as of 11/18/2001) #FF C &GP[ 74. #EEGUU 4WNG VQ DNQEM OUIGFKV[CJQQEQO HQT VJG*6622TQZ[6JKUCPFVJGFGHCWNVHKNVGTUUJQWNFRTGXGPVCEEGUU VQ;CJQQ/GUUGPIGT
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 210
Chapter 9 - Advanced Topics
November 30, 2001
Adding Dummy Static Routes 9JKNG KV KU GCU[ VQ CFF C UVCVKE TQWVG [QW UJQWNF TGCNK\G VJCV QPN[ EGTVCKP +2 CFFTGUUGU YQWNF YQTM YJGP GPVGTKPI VJG PGZV JQR +2 CFFTGUU+H[QWUJQWNFGPVGTCPKPEQTTGEVCFFTGUUVJGUVCVKETQWVGYKNN DG KIPQTGF CPF VJG %JCV RTQITCO YKNN 016 DG TGFKTGEVGF 6JG CFFTGUU [QW EJQQUG UJQWNF DG CP KPVGTPCN CFFTGUU VQ DG UWTG VJKU VGEJPKSWGYKNNYQTM •
;QW OWUV WUG CP +2 CFFTGUU KP C FKTGEVN[EQPPGEVGF UWDPGV 6JKU OGCPU VJCV KH [QW JCXG CP KPVGTPCN KPVGTHCEG YKVJ +2 CFFTGUU DQWPF VQ KV [QW UJQWNF WUG C PGZV JQR+2CFFTGUUKPVJGZTCPIG
•
;QWECPPQVWUGVJGNQQRDCEMCFFTGUU
•
;QW ECP WUG CP +2 CFFTGUU VJCVKU PQV CEVWCNN[CUUKIPGF VQC JQUV +H [QW JCXG PQ KPVGTPCN JQUV CV [QW ECP WUGVJCVCUCPGZVJQRCUNQPICUVJGUWDPGVKU FKTGEVN[EQPPGEVGF
•
&QPQVEJQQUGVJGCFFTGUUQH[QWT+PVGTPGVTQWVGT +H[QWFQ KVYKNNUKORN[UGPFVJGRCEMGVUQPVQVJG%JCVUGTXGT
0QVGThe information on blocking chat programs may become dated quickly as companies like Microsoft update their networks and messaging software. This example shows how to redirect traffic with a dummy static route, but do not expect that the IP addressing involved here will still be valid when you read this. You may very well find that other login server names or IP addresses are being used, and you may have to use NSLOOKUP tools or sniffer traces to find that information. Check my web site at http://nscsysop.hypermart.net or the Novell public forums for the latest information available on actual IP addressing being used by these chat programs.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 211
Chapter 9 - Advanced Topics
November 30, 2001
Entering a static route in NetWare .1#& +0'6%() IQ VQ 2TQVQEQNU 6%2+2 CPF IQ KPVQ .#0 5VCVKE4QWVKPI6CDNG/CMGGPVTKGUHQT0GVYQTMYKVJVJGPGVYQTM PWODGTQT*156YKVJVJG*QUV+2#FFTGUUWUKPICPGZVJQRQHCP +2 CFFTGUU VJCV KU YKVJKP C PGVYQTM FKTGEVN[ CVVCEJGF VQ VJG $QTFGT/CPCIGTUGTXGT *GTGKUCPGZCORNGHQTTGFKTGEVKPIVJG/50/GUUGPIGTNQIKPUGTXGT NQIKPICVGYC[JQVOCKNEQOCV+2CFFTGUU
Figure 9-7 - Dummy Static Route to Redirect MSN Messenger
6JG UVCVKE TQWVG UJQYP KP (KIWTG TGFKTGEVU TGSWGUVU VQ VJG /50 /GUUGPIGT NQIKP UGTXGT CV +2 CFFTGUU VQ C PGZV JQR QH 6JGTGKUPQJQUVCV+2CFFTGUUDWVVJG UWDPGV KU DQWPF VQ VJG $QTFGT/CPCIGT UGTXGT 6JG $QTFGT/CPCIGT UGTXGT JCU CP +2 CFFTGUU YKVJKP VJG UWDPGV
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 212
Chapter 10 - Troubleshooting
November 30, 2001
Chapter 10 Troubleshooting 6JGTGKUP VCNQVVJCVIQGUYTQPIYKVJRCEMGVHKNVGTKPICUUWOKPI[QW JCXG FGVGTOKPGF VJCV [QW KPFGGF JCXG C RCEMGV HKNVGTKPI KUUWG DWV JGTGCTGCHGYVTQWDNGUJQQVKPIUVGRU[QWECPVCMG
Is It A Filtering Problem? (KTUV [QW OWUV FGVGTOKPG KH [QW GXGP JCXG C RCEMGV HKNVGT RTQDNGO 0QTOCNN[ VJKU OGCPU [QW CTG HKNVGTKPI UQOG VTCHHKE VJCV [QW YCPV VQ CNNQY 6JGTG CTG VYQ OGVJQFU VQ FGVGTOKPG KH HKNVGTKPI KU UVQRRKPI [QWTVTCHHKE •
7UG5'66%2+2&'$7)CVVJGUGTXGTEQPUQNGCPFNQQMHQT VJGYQTF(+.6'4+0)HQNNQYKPICNKPGUJQYKPI[QWTRCEMGVUQH KPVGTGUV+H[QWCTGYQTMKPIYKVJCXGT[DWU[UGTXGT[QWOC[HKPF KVPGEGUUCT[VQWUG%10.1)0./VQECRVWTGVJGVTCHHKEVQCVGZV HKNG YJKEJ YKNN DG UCXGF CU 5;5'6%>%1051.'.1) CPF UGCTEJHQTVJGRCEMGVUQHKPVGTGUVVJGTG
•
+H 6%2 +2 &'$7) UKORN[ FKURNC[U VQQ OWEJ VTCHHKE QP VJG UGTXGT EQPUQNG VQ FGCN YKVJ VT[ 5'6 (+.6'4 &'$7)10 HQNNQYGFD[QPGQHVJGHQNNQYKPI FGRGPFKPIQPKH[QWCTGVT[KPI VQFGDWIC6%27&2QT+%/2HKNVGTGZEGRVKQP
•
•
5'66%2&+5%#4&(+.6'4&'$7)
•
5'67&2&+5%#4&(+.6'4&'$7)
•
5'6+%/2&+5%#4&(+.6'4&'$7)
70.1#& +2(.60./ CV VJG UGTXGT EQPUQNG 6JKU YKNN KOOGFKCVGN[ FKUCDNG CNN +2 RCEMGV HKNVGTKPI CPF KH [QWT CRRNKECVKQPPQYUVCTVUYQTMKPI[QWECPDGVUQOGVJKPIYCUDGKPI HKNVGTGF+VYKNNVJGPDGPGEGUUCT[VQFGVGTOKPGVJGRQTVPWODGTU DGKPI HKNVGTGF CPF FGVGTOKPG KH [QW ECP UCHGN[ CFF HKNVGT GZEGRVKQPU VQ CNNQY VJG VTCHHKE 0QV CNN CRRNKECVKQPU NGPF VJGOUGNXGU VQ YQTMKPI VJTQWIJ C HKTGYCNN CPF IGVVKPI VJQUG CRRNKECVKQPUVQHWPEVKQPOC[TGUWNVKPQRGPKPIWR[QWTPGVYQTMUQ OWEJVJCVVJGHKTGYCNNKUKPGHHGEVKXG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 213
Chapter 10 - Troubleshooting
November 30, 2001
CAUTION UNLOAD IPFLT and disabling your IP filters removes firewall functionality! If you need a highly secure network at all times, you should be doing this sort of testing in a lab environment!
6JG QVJGT MKPF QH HKNVGTKPI KUUWG KPXQNXGU CNNQYKPI WPYCPVGF VTCHHKE VJCV[QWKPVGPFGFVQDGHKNVGTKPI6JGTGCTGVYQVJKPIUVQEJGEMKHVJKU UKVWCVKQPKUQEEWTTKPI •
$G UWTG VJCV [QW JCXG GPCDNGF VJG FGHCWNV HKNVGT GZEGRVKQPU YKVJ $4&%()0./ CPF PQV OCPWCNN[ TGOQXGF VJGO WUKPI (+.6%()0./;QWECPTWP$4&%()0./CICKPVQCFFDCEM FGHCWNVHKNVGTUCPFGZEGRVKQPU
•
%JGEMVJGHKNVGTGZEGRVKQPUKP(+.6%()0./VQGPUWTGVJCV[QW JCXGPQVCFFGFCPGZEGRVKQPVJCVKPCFXGTVGPVN[CNNQYUVJGVTCHHKE QH KPVGTGUV $G GURGEKCNN[ CNGTV HQT C HKNVGT GZEGRVKQP VJCV CNNQYU #P[VQ#P[
•
%JGEMVQDGUWTGVJCV+2(.60./KUNQCFGF
•
%JGEM VQ UGG VJCV [QWT KPVGTPCN JQUVU CPF TQWVGTU JCXG C FGHCWNV ICVGYC[UGVVKPI
Stateful Filter Exceptions Aren't Working 6JKUECPDGGURGEKCNN[RW\\NKPICUKVCRRGCTUHQTPQCRRCTGPVTGCUQP CPFKVKUENGCT HTQO6%2+2&'$7)VJCVVJGXGT[FGUVKPCVKQPRQTV [QW CTG VT[KPI VQ CNNQY KU ENGCTN[ DGKPI HKNVGTGF KP VJG QWVDQWPF FKTGEVKQP6JKUUKVWCVKQPQEEWTUYJGPCRRN[KPICHKNVGTVQCPKPVGTHCEG KPUVGCFQHCP+2CFFTGUUQT #NNKPVGTHCEGU %JCPIKPIVJGUVCVGHWNHKNVGT GZEGRVKQP VQ #NN +PVGTHCEGU YQTMU UQOGVKOGU 6JGTG CTG RCVEJGU VQ $QTFGT/CPCIGTZVJCVHKZRTQDNGOUYKVJUVCVGHWNHKNVGTUD[WRFCVKPI VJG+2(.60./HKNG$GUWTGVQIGVVJGNCVGUV0GV9CTGUWRRQTV RCEM QP [QWT UGTXGT DGECWUG VJG HKNVGTKPI OQFWNGU JCXG DGGP OQXGFHTQO$QTFGT/CPCIGTRCVEJGUVQVJG0GV9CTGRCVEJGU 1PG TGCUQP HQT VJG RTQDNGO OC[ DG VJCV VJG RTQDNGO KU PQV FWG VQ +2(.60./ KUUWGU CV CNN DWV KPUVGCF KPXQNXGU VJG UGTXGT PQV EQTTGEVN[KFGPVKH[KPIVJGRWDNKECPFRTKXCVGKPVGTHCEGUCUVJG[CRRGCT KPVJG(+.6%()OGPW6JGRTQDNGOWUWCNN[QEEWTUYJGPCPGVYQTM KPVGTHCEG ECTF 0+% JCU DGGP TGOQXGF CU KP IQKPI HTQO VJTGG PGVYQTMECTFUVQVYQ5QOGVJKPI IGVUEQPHWUGF KPJQYVJGKPVGTHCEGU CTGKFGPVKHKGF8CTKCVKQPUQHVJKURTQDNGOECPGXGPQEEWTD[FGNGVKPI CPKPVGTHCEGFGHKPKVKQPCPFTGETGCVKPIKVUWEJCUEJCPIKPICPGVYQTM ECTFQWVHQTCPQVJGT 6JGEWTGKUNKMGN[VQDGTGETGCVKPIVJG5;5'6%>0'6+0(1%()HKNG 4GNCVGF VQ VJCV OC[ DG VJG PGGF VQ CNUQ TGETGCVG VJG 5;5'6%>6%2+2%()HKNGYJKEJJQNFUUQOG+2CFFTGUUUGVVKPIUCPF Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 214
Chapter 10 - Troubleshooting
November 30, 2001
VJG0#6FGHKPKVKQPU6JGOQUVVJQTQWIJYC[VQUQNXGVJGRTQDNGOKU VQ 4GPCOGVJQUGHKNGUVQ0'6+0(11.&CPF6%2+21.& .1#& +0'6%() CPF VJGP TGETGCVG CNN QH VJG PGVYQTM UGVVKPIU CICKPHQNNQYGFD[ 4'+0+6+#.+<'5;56'/ 0QVGProblems in NETINFO.CFG and/or TCPIP.CFG can cause other strange and unexpected behavior, such as static NAT definitions seeming to disappear. Also, be sure to check your filter definition closely to ensure that the 'stateful' option has been selected - it is easy to overlook setting that parameter!
My Filter Exception Looks OK, But My Traffic Is Still Blocked •
%JGEM VQ UGG KH VJG VTCHHKE KU 7&2 CPF VJG HKNVGT KU HQT 6%2 QT XKEGXGTUC
•
%JGEM VQ UGG KH VJG HKNVGT GZEGRVKQP KU DCUGF QP UQWTEG RQTV KPUVGCF QH FGUVKPCVKQP RQTV QT XKEGXGTUC 'URGEKCNN[ YKVJ $QTFGT/CPCIGTYJKEJJCUPQUVCVGHWNHKNVGTU[QWPGGFVQUGV WR CVNGCUVVYQHKNVGTGZEGRVKQPUQPGVQCNNQYCFGUVKPCVKQPRQTV QWV CPF VJG QVJGT VQ CNNQY VJG TGVWTP VTCHHKE QHVGP KP VJG RQTV TCPIGQH
(KNVGTGZEGRVKQPUECPDGUWDVNGNQQMXGT[ENQUGN[CVVJGTGUWNVUQHC 6%2+2&'$7)VTCEGVQUGGYJCVKUCEVWCNN[JCRRGPKPI;QWPGGFVQ RC[ CVVGPVKQP VQ VJG NKPG FKTGEVN[ CDQXG (+.6'4+0) VQ FGVGTOKPG RTQVQEQN 6%2QT7&2WUWCNN[UQWTEGRQTVFGUVKPCVKQPRQTVCPFKH VJGVTCHHKEYCUKPDQWPFQTQWVDQWPF
My Traffic is Blocked, But TCP IP DEBUG Doesn’t Show Any Discards +H 6%2 +2 &'$7) UJQYU KPDQWPF VTCHHKE UKORN[ DGKPI FTQRRGF DWV YKVJ PQ KPFKECVKQPU QH&+5%#4& VJGP [QW CTG RTQDCDN[ UGGKPI F[PCOKE0#6KORNKEKVHKNVGTKPICVYQTM6T[VJGEQOOCPF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 215
Chapter 10 - Troubleshooting
November 30, 2001
SET NAT DYNAMIC MODE TO PASS THRU=ON
+HVJCVJGNRUIQKPVQ+0'6%()2TQVQEQNU6%2+2CPFFKUCDNG0#6 +ORNKEKV(KNVGTKPI 0QVGThe menu option for NAT Implicit Filtering makes its appearance in one of the later NetWare support packs for NetWare 4.11 and 5.0.
NAT Quit Working 6JG UKVWCVKQP + YCPV VQ EQXGT JGTG IGPGTCNN[ QEEWTU KH [QW JCXG TGPCOGF VJG RWDNKE KPVGTHCEG CV UQOG RQKPV 6JG U[ORVQOU CTG
IGPGTCNN[CUHQNNQYU &[PCOKE0#6KUP VYQTMKPIGXGPVJQWIJ[QWJCXGKVEQTTGEVN[UGV WRQPVJGRWDNKE+2DKPFKPI 5VCVKE0#6 HQTKPDQWPFVTCHHKEKUP VYQTMKPIGKVJGTGXGPVJQWIJ KVKUEQTTGEVN[UGVWR $[ EQTTGEVN[ UGV WR + OGCP VJCV [QW NQQM KP +0'6%() CPF GXGT[VJKPIKUHKPG;GVKH[QWWUG5'66%2+2&'$7)VQNQQMCV [QWT +2 VTCHHKE [QW ECP UGG VJCV RCEMGVU CTG DGKPI HQTYCTFGF CPF 016 DGKPI 0#6 F ;QW UGG RCEMGVU IQKPI QWV YKVJ VJG RTKXCVG +2 CFFTGUUCPFQHEQWTUGPQTGRNKGUEQOGDCEM5QOGVKOGU0#60./ YKNNPQVGXGPDGNQCFGFVJQWIJKVWUWCNN[KU 6JG ECWUG KU FWRNKECVGF KPVGTHCEG FGHKPKVKQP KP VJG 5;5'6%>6%2+2%() HKNG 6JG EWTG KU C UKORNG GFKV QH VJCV HKNG *GTGKUCPGZCORNG
BAD TCPIP.CFG FILE EXAMPLE AutonomousSystem 0 Protocol rip on { Interface { Address 192.168.10.254 Port PRIVATE_EII Status on Cost 1 Poison off SplitHorizon on UpdateTime 30 GarbageTime 120 ExpireTime 180 OriginateDefault off Version ripI Mode normal } Interface { Address 10.70.0.107
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 216
Chapter 10 - Troubleshooting
November 30, 2001
Port PUBLIC_EII Status on Cost 1 Poison off SplitHorizon on UpdateTime 30 GarbageTime 120 ExpireTime 180 OriginateDefault off Version ripI Mode normal } Interface { Address 10.70.0.107 Port PUBLIC_EII Status on Cost 1 Poison off SplitHorizon on UpdateTime 30 GarbageTime 120 ExpireTime 180 OriginateDefault off Version ripI Mode normal } } Protocol egp off { } Protocol ospf off { Interface { Address 192.168.10.254 Port PRIVATE_EII Status on Cost 1 AreaId 0.0.0.0 Priority 1 RetransmissionInterval 5 TransitDelay 1 HelloInterval 10 RouterDeadInterval 40 Nbma { PollInterval 120 Neighbor { } } } Interface { Address 10.70.0.107 Port PUBLIC_EII Status on Cost 1 AreaId 0.0.0.0 Priority 1 RetransmissionInterval 5 TransitDelay 1 HelloInterval 10 RouterDeadInterval 40 Nbma {
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 217
Chapter 10 - Troubleshooting
November 30, 2001
PollInterval 120 Neighbor { } } } Interface { Address 10.70.0.107 Port PUBLIC_EII Status on Cost 1 AreaId 0.0.0.0 Priority 1 RetransmissionInterval 5 TransitDelay 1 HelloInterval 10 RouterDeadInterval 40 Nbma { PollInterval 120 Neighbor { } } } } Interface { Address 192.168.10.254 Port PRIVATE_EII Type lan RouterDiscovery no SolicitationAddress multicast NATStatus Disabled } Interface { Address 10.70.0.107 Port PUBLIC_EII Type lan RouterDiscovery no SolicitationAddress multicast NATStatus Dynamic } Interface { Address 10.70.0.107 Port PUBLIC_EII Type lan RouterDiscovery no SolicitationAddress multicast NATStatus Disabled } ForwardIPSourceRouting off NATFiltering off
6JG RTQDNGO KU TKIJV CV VJG GPF 0QVKEG VJG NCUV VYQ +PVGTHCEG GPVTKGU VJGTG CTG 691 '064+'5 HQT CP KPVGTHCEG PCOGF 27$.+%A'++YKVJCFFTGUU+PVJKUGZCORNGVJGTGCTGPQ UVCVKE0#6GPVTKGUDWVKHVJGTGYGTGVJG[YQWNFDGGCUKN[UGGPKPVJG Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 218
Chapter 10 - Troubleshooting
November 30, 2001
HKTUV QH VJGUG NCUV VYQ GPVTKGU 0QVG VJCV VJG HKTUV GPVT[ JCU 0#65VCVWU&[PCOKEYJKNGVJGUGEQPFJCU0#65VCVWU&KUCDNGF +PVJKUGZCORNGQWVDQWPFVTCHHKEYCUPQVDGKPIF[PCOKECNN[0#6 F +0'6%() YQWNF UGG VJG UGVVKPI HQT VJG HKTUV 27$.+%A'++ KPVGTHCEG CPFEJCPIG0#6VQF[PCOKEQTFKUCDNGFLWUVHKPGYJCVGXGT[QWRWV KP*QYGXGTVJG5'%10&GPVT[YQWNFPGXGTUJQYWRKP+0'6%() CPF YJGP +0+65;50%( TCP KP #761':'%0%( QT KH C 4GKPKVKCNK\G5[UVGOEQOOCPFYGTGWUGF0#6YQWNFDGGPCDNGFD[ VJG HKTUV GPVT[ CPF VJGP KOOGFKCVGN[ FKUCDNGF CICKP D[ VJG UGEQPF GPVT[
6JGTGCTGCNUQQVJGTFWRNKECVGGPVTKGUKPHQTVJGRWDNKEKPVGTHCEGKPVJG TQWVKPI RTQVQEQNU UGEVKQPU QH VJG HKNG 6JGUG FQP V JCRRGP VQ DG ECWUKPI CP KUUWG KP VJKU GZCORNG DWV UJQWNF DG FGNGVGF KP VJG UCOG YC[CUFGUETKDGFDGNQY
Fixing the Problem 6JGEWTGKUXGT[UKORNG(KTUVOCMGCDCEMWREQR[QHVJGHKNG6JGP WUGCVGZVGFKVQTNKMG0QVGRCFVQFGNGVGVJGNCUV+PVGTHCEGGPVT[*GTG KUVJGNCUVRCTVQHVJGCDQXG6%2+2%()HKNGCUKVUJQWNFDG < first section of this file not shown...> Interface { Address 192.168.10.254 Port PRIVATE_EII Type lan RouterDiscovery no SolicitationAddress multicast NATStatus Disabled } Interface { Address 10.70.0.107 Port PUBLIC_EII Type lan RouterDiscovery no SolicitationAddress multicast NATStatus Dynamic } ForwardIPSourceRouting off NATFiltering off
NAT Works, but Intermittently, and Communications are Inconsistent or Strange 6JGTGKUCRTQDNGOYKVJVJGKPUVCNNCVKQPUETKRVHQT$QTFGT/CPCIGT 4GICTFNGUUQHCP[EJQKEGU[QWOCMGQNFGTXGTUKQPUQHUQOGETKVKECN HKNGU YKNN DG KPUVCNNGF TGUWNVKPI KP KPEQPUKUVGPV QT HCKNKPI EQOOWPKECVKQPU RCTVKEWNCTN[ KP TGICTF VQ 0#6 +H [QW JCXG $QTFGT/CPCIGTKPUVCNNGFCPF0#60./XGTUKQPKUTWPPKPI [QW PGGF VQ KPUVCNN QT TGKPUVCNN VJG NCVGUV 0GV9CTG UWRRQTV RCEM 5QOGXCT[QFFU[ORVQOUJCXGDGGPUGGPYKVJVJGOKZGFWRXGTUKQPU Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 219
Chapter 10 - Troubleshooting
November 30, 2001
QH 0./ŏU KPXQNXGF Ō FQPŏV GXGP DQVJ VTQWDNGUJQQVKPI WPVKN [QW TGCRRN[VJGUWRRQTVRCEMCUVJGU[ORVQOUCTGSWKVGXCTKCDNG
All My Traffic Is Blocked, Even Proxies. %JGEMVQUGGKH[QWJCXGCRRNKGFVJGFGHCWNVHKNVGTUVYKEGQPEGVQVJG RWDNKEKPVGTHCEGCPFCICKPVQVJGRTKXCVGKPVGTHCEG+H[QWJCXGFQPG VJKU [QWT FGHCWNV HKNVGT GZEGRVKQPU OC[ NQQM HKPG DWV [QW YKNN JCXG VYQUGVUQHHKNVGTU PQVGZEGRVKQPUDNQEMKPIVTCHHKEHKTUVVQVJG2WDNKE KPVGTHCEGCPFCICKPVQVJG2TKXCVGKPVGTHCEG+PVJKUECUG[QWUJQWNF FGNGVG CNN VJG HKNVGTU WUKPI (+.6%()0./ [QW OKIJV CNUQ PGGF VQ FGNGVG CP[ KPEQTTGEV HKNVGTGZEGRVKQPU CPF VJGP TWP $4&%()0./ CICKP
The Application Keeps Changing Port Numbers 5QOG CRRNKECVKQPU UKORN[ FQP V YQTM YGNN VJTQWIJ C HKTGYCNN CPF GZRGEV VJCV EQPPGEVKQPU ECP DG GUVCDNKUJGF KP DQVJ FKTGEVKQPU WUKPI CP[ RQTV KP VJG TCPIG QH # V[RKECN U[ORVQO OKIJV DG VJCVDQVJUQWTEGCPFFGUVKPCVKQPRQTVPWODGTUCTGPQVVJGUCOG YKVJ GCEJ CVVGORV QH NCWPEJKPI VJG CRRNKECVKQP ;QWT EJQKEG FQP V CNNQY VJGCRRNKECVKQPQTFQP VHKNVGT[QWTPGVYQTM1HVGPVJGUGRTQITCOUCNUQ FQP VYQTMYKVJC0#6EQPHKIWTCVKQPGKVJGT
Stateful Filters or TCP/IP Communications Work, But Quit Working or Are Inconsistent ;QWRTQDCDN[PGGFVQIGVCPWRFCVGFXGTUKQPQH+2(.60./CPF RQUUKDN[ 6%2+20./ %JGEM VJG /KPKOWO 2CVEJ .KUV CPF 0QXGNN 2WDNKE(QTWOUCVhttp://support.novell.com/ toHKPFQWVYJCVVJGNCVGUV RCVEJPCOGKU#PQVJGTRQUUKDKNKV[KUVJCV[QWTUGTXGTJCUTWP QWVQH TGUQWTEGU PGEGUUCT[ VQ UWRRQTV UVCVGHWN HKNVGTKPI EJGEM VJG TGCFOG HKNG HTQO [QWT RCVEJGU ENQUGN[ VQ GPUWTG [QW JCXG OCFG VJG RTQRGT UGVVKPIU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 220
Chapter 10 - Troubleshooting
November 30, 2001
My Port Numbers Are Really Weird! •
9JGP WUKPI 6%2 +2 &'$7) [QW UVCTVKPI UGGKPI RQTV PWODGTU VJCVUKORN[FQP VEQOGENQUGVQCP[QHVJGGZCORNGUUJQYPKPVJKU DQQM
•
;QWCTGUGGKPIRQTVPWODGTUTGRQTVGFVJCVCTGQXGT 9#;QXGT +P UQOG ECUGU [QW OC[ UGG RQTV PWODGTU NKMG *GTGKUCPGZCORNG
Tcp IP Debug set to 1 LOOPBACK:pktid:44733 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 RECEIVE:pktid:44733 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 LOCAL:pktid:44733 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 Discard Incoming: cause(FILTERING), reason(5) LOOPBACK:pktid:44989 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 RECEIVE:pktid:44989 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 LOCAL:pktid:44989 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 Discard Incoming: cause(FILTERING), reason(5) LOOPBACK:pktid:45245 10.1.1.1->10.1.1.1 ttl:128 (UDP) UDP:Source Port:109903872Destination Port:109903872 RECEIVE:pktid:45245 10.1.1.1->10.1.1.1 ttl:128 (UDP)
;QW JCXG C XGTUKQP QH 6%2+20./ VJCV KU KPEQTTGEVN[ TGRQTVKPI VJG RQTV PWODGTU 6JKU RTQDNGO YCU GURGEKCNN[ RTGXCNGPV YKVJ 0GV9CTG CPF UQOG QH VJG GCTN[ UGTXKEG RCEMU CPF KU UVKNN RTGUGPV KP C PWODGTQHFKHHGTGPVXGTUKQPUQH6%2+20./CUQHVJKUYTKVKPI;QW OC[ DG CDNG VQ IGV CP WRFCVGF XGTUKQP QH 6%2+20./ HTQO http://support.novell.com/VJCVFQGUPQVJCXGVJGRTQDNGO+VKUDGUVVQ EJGEMKPVJG0QXGNN2WDNKE(QTWOUCUYGNNCUVJG/KPKOWO2CVEJ.KUV VQHKPFQWVYJCVVJGNCVGUV6%2+20./RCVEJKUECNNGF 0QVGAs of this writing, I have become resigned to accepting the problem, since I have seen it with so many versions of TCPIP.NLM. In practice, it causes few issues, because I can infer the outgoing port numbers from the response traffic I see coming back. In addition, the problem does not affect static or dynamic NAT traffic.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 221
Chapter 10 - Troubleshooting
November 30, 2001
FTP-PORT-PASV-ST Stateful Filter Doesn't Work in BorderManager 3.5 6JGTG YCU C DWI YKVJ VJG XGTUKQP QH VJG +2(.60./ OQFWNGU UJKRRGF YKVJ $QTFGT/CPCIGT + JCXG UGV WR $QTFGT/CPCIGT UGTXGTUYJGTGVJGHKNVGTYQTMGFCPFQVJGTUYJGTGKVFKFPQV6JGDWI YCUHKTUVHKZGFKPVJG$/(#':'RCVEJCPFVJG$/52':' RCVEJ(QTUGXGTCNUGTXKEGRCEMUVJGWRFCVGF+2(.60./OQFWNGU JCXG DGGP EQPVCKPGF KP VJG 0GV9CTG UWRRQTV RCEMU KPUVGCF QH KP $QTFGT/CPCIGTRCVEJGU%JGEMVJG/KPKOWO2CVEJ.KUVCPF0QXGNN 5WRRQTV %QPPGEVKQP 2WDNKE (QTWOU CV http://support.novell.com/ VQ HKPFQWVYJCVVJGNCVGUVCXCKNCDNG$QTFGT/CPCIGTRCVEJKUECNNGF 1VJGTYKUG UGV WR HKNVGT GZEGRVKQPU CU [QW YQWNF JCXG VQ FQ YKVJ $QTFGT/CPCIGT#NNQYQWVDQWPF6%2RQTVUUQWTEGRQTVU #FF CPQVJGT HKNVGT GZEGRVKQP VQ CNNQY KPDQWPF 6%2 FGUVKPCVKQPRQTVUUQWTEGRQTVU
POP3-ST Stateful Filter Doesn't Work in BorderManager 3.5 6JGTG KU C DWI YKVJ VJG XGTUKQP QH VJG 21256 HKNVGT FGHKPKVKQP UJKRRGF YKVJ $QTFGT/CPCIGT 6JG 5VCVGHWN RCTCOGVGT YCU PQV GPCDNGF KP VJG DWKNVKP 21256 HKNVGT FGHKPKVKQP ;QW ECP UKORN[ ETGCVG [QWT QYP 212 PGY56 HKNVGT FGHKPKVKQP VJCV GPCDNGU VJG UVCVGHWN RCTCOGVGT QT VT[ OCPWCNN[ GFKVKPI VJG 5;5'6%>$7+.6+05%()HKNG 5GGVJGGZRNCPCVKQPKPVJG1FFU 'PFUEJCRVGTRCIGQPVJKU
All IP Traffic Quits Working After Some Time ;QWRTQDCDN[PGGFVQIGVCPWRFCVGFXGTUKQPQH6%2+20./%JGEM VJG /KPKOWO 2CVEJ .KUV CPF 0QXGNN 2WDNKE (QTWOU CV http://support.novell.com/VQHKPFQWVYJCVVJGNCVGUVRCVEJPCOGKU ;QW OC[ PGGF VQ KPETGCUG VJG /CZKOWO 2J[UKECN 4GEGKXG 2CEMGV UK\G UGVVKPI VQ CNNQY HQT NCTIGT RCEMGVU KP UQOG ECUGU WR VQ D[VGU +H [QW JCXG UGVVKPIU DGNQY QT UQ [QW OC[ HKPF QFF DGJCXKQTNKMGUOCNNHKNGUVTCPUHGTTKPIDWVPQVNCTIGTQPGU6JKUUGVVKPI KU RCTVKEWNCTN[ TGSWKTGF HQT PGVYQTM ECTFU WUKPI +PVGN EJKRUGVU QP 0GV9CTGUGTXGTUCHVGTCRRN[KPI5GTXKEG2CEM #NUQYKVJXGTUKQPUQH6%2+20./CQTUKOKNCTVT[5'66%2+2 /#:+/7/ 5/#.. '%$5 6JKU UGVVKPI UJQWNF 016 DG
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 222
Chapter 10 - Troubleshooting
November 30, 2001
PGGFGF QP 6%2+20./ XGTUKQPU NCVGT VJCP Ō [ KU HKPG YKVJQWVKVCUKU +PIGPGTCNEJGEMVJGUGKVGOU •
)GVNCVGUV6%2+2RCVEJ KPVJGNCVGUV0GV9CTGUWRRQTVRCEMU
•
7UG 5'6 6%2 +2 /#:+/7/ 5/#.. '%$5 QPN[ PGEGUUCT[HQTQNFGT6%2+20./XGTUKQPC
•
)GVVJGNCVGUV241:;0./RCVEJ
•
)GVVJGNCVGUV+2(.60./RCVEJ KPVJGNCVGUV0GV9CTGUWRRQTV RCEMU
•
)GV VJG NCVGUV 0#60./ RCVEJ KP VJG NCVGUV 0GV9CTG UWRRQTV RCEMU
My Application Works For Me, But Not For My Friend Outside The Firewall 6JKUKU CV[RKECN RTQDNGOYKVJEGTVCKPEJCVV[RG UQHVYCTGCPF EQWNF DG YKVJ CP[ CRRNKECVKQP VJCV VTKGU VQ GUVCDNKUJ C FKTGEV JQUVVQJQUV EQPPGEVKQP DGVYGGP VYQ 2% U YKVJ QPG QH VJGO DGJKPF C HKTGYCNN 1WVDQWPF EQPPGEVKQPU OC[ YQTM DWV PQV VJG TGXGTUG 6JKU V[RG QH CRRNKECVKQP KU NKMGN[ VQ TGSWKTG C UVCVKE 0#6 EQPHKIWTCVKQP HQT GCEJ KPVGTPCN JQUV %JGEM VJG +2 VTCHHKE WUKPI 5'6 6%2 +2 &'$7) VQ UGG KH KPDQWPF EQPPGEVKQPU CTG VT[KPI VQ DG OCFG QP TCPFQO JKIJ RQTVU 5QOGRTQITCOUCTGUKORN[PQVUWKVGFVQYQTMKPIVJTQWIJHKTGYCNNUCU [QW YQWNF JCXG VQ GHHGEVKXGN[ QRGP CNN RQTVU WR KP QTFGT VQ IGV VJG RTQITCOVQYQTM 5QOG RTQITCOU YKNN YQTM DGUV WUKPI C 51%-5 ICVGYC[ +H VJG CRRNKECVKQPJCUC51%-5QRVKQPVT[WUKPIVJCVDGHQTGIQKPIVQITGCV NGPIVJUUGVVKPIWRHKNVGTGZEGRVKQPU
I Can't Filter Traffic That Brings Up My DialUp Connection! 9GNNŗ [QW TG TKIJV 7PHQTVWPCVGN[ [QW ECP V FWG VQ VJG YC[ VJCV 0QXGNN YQTMU YKVJ FKCNWR CPF HKNVGTKPI (KTUV C FKCNWR NKPM KU QRGPGF CPF 6*'0 HKNVGTKPI KU CEVKXCVGF DGECWUG VJG NKPM KU QRGPGF DGHQTGVJGRCEMGVGXGPIGVUVQVJGTQWVGT#DQWVVJGQPN[YC[CTQWPF VJKU RTQDNGO KU VQ IGV C FKCNWR TQWVGT WRUVTGCO HTQO VJG QPG EQPPGEVGFVQ[QWT$QTFGT/CPCIGTUGTXGTCPFCEVKXCVGUQOGHKNVGTKPI QP VJCV TQWVGT 6JKU RTQDNGO KU KPJGTGPV VQ JQY VJG 0QXGNN 6%2+2 UVCEM KU YTKVVGP CPF YQWNF TGSWKTG C HWPFCOGPVCN EJCPIG VQ VJG Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 223
Chapter 10 - Troubleshooting
November 30, 2001
EQFKPI 5Q KP UJQTV WPNGUU UQOGVJKPIOCLQT JCU EJCPIGF YKVJ VJG 6%2+2UVCEM[QWCTGYCUVKPI[QWTVKOGVT[KPIVQMGGRVJQUGFKCNWR 9#0NKPMUHTQOEQOKPIWRD[WUKPIHKNVGTKPIVGEJPKSWGU 1PG TGCUQP HQT C FKCNWR NKPM EQOKPI WR RGTKQFKECNN[ QP C 0GV9CTG Z UGTXGT KU OWNVKECUV VTCHHKE CFXGTVKUKPI VJG RWDNKE +2 CFFTGUU HQT 0%2 UGTXKEGU 6JKU KU C EQOOQP RTQDNGO YKVJ $QTFGT/CPCIGT UGTXGTU UKPEG 0%2 VTKGU VQ WUG VJG HKTUV +2 CFFTGUU DQWPF (KTUV +2 CFFTGUU UJQYKPI KP VJG KPVGTHCEG UGEVKQPU KP VJG 5;5'6%>6%2+2%() HKNG CEVWCNN[ +V KU CNYC[UCIQQF KFGC QP C $QTFGT/CPCIGT UGTXGT VQ 5'6 0%2 +0%.7&' +2 #&&4'55 [QWT RTKXCVG +2 CFFTGUU UQ VJCV 0%2 QPN[ WUGU VJG RTKXCVG +2 CFFTGUU 6JKU YKNN EWTG C XCTKGV[ QH RTQDNGOU KPENWFKPI UVQRRKPI CVVGORVGFOWNVKECUVCFXGTVKUKPIQPVJGRWDNKEKPVGTHCEG 0QVGThe NCP Include parameter was introduced with one of the later service packs for NetWare 5.x.
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 224
Chapter 11 - Odds & Ends
November 30, 2001
Chapter 11 - Odds & Ends 6JKU UGEVKQP KU KPVGPFGF VQ TGNC[ UQOG KPHQTOCVKQP + JCXG TGEGKXGF HTQOXCTKQWUUQWTEGUDWVHQTYJKEJ+FQPQVJCXGGZCORNGU+PUQOG ECUGU+JCXGPQVRGTUQPCNN[VTKGFQWVVJGUWIIGUVGFHKNVGTGZEGRVKQPU
Other Useful Port Numbers +JCXGJGCTFWUGTUQHVJG0QXGNN2WDNKE(QTWOUTGRQTVVJCVVJG[JCXG DGGP CDNG VQ IGV VJG HQNNQYKPI UGTXKEGU VQ YQTM VJTQWIJ $QTFGT/CPCIGTYKVJVJGFGUVKPCVKQPRQTVPWODGTUUJQYP+JCXGPQV EQPHKTOGFVJKUKPHQTOCVKQPRGTUQPCNN[ # HCKTN[ EQORTGJGPUKXG NKUV QH RQTV PWODGTU ECP DG HQWPF CV http://www.ec11.dial.pipex.com/port-num0.shtml
LDAP 6T[ UGVVKPI WR C UVCVGHWN HKNVGT HQT 6%2 FGUVKPCVKQP RQTV CPF UQWTEGRQTV#P[ QTUQWTEGRQTVU+H.KUWUKPI55. GPET[RVKQPVJGRQTVPWODGTFGHCWNVUVQ6%2FGUVKPCVKQPRQTV
NetWare NCP Over IP 0QXGNN0GV9CTG0%2WUGU6%2FGUVKPCVKQPRQTV6%2RQTV KU WUGF D[ 0&5 CPF ENKGPV EQOOWPKECVKQPU YJGP +2 KU DGKPI WUGF KPUVGCFQH+2:
NDPS 5GG0QXGNN6+&6JGDTQMGTWUGU6%2RQTVU CPF 6JG 0&25 OCPCIGT WUGU 6%2 RQTV 2TKPVGT CIGPVU WUG 6%2 FGUVKPCVKQP RQTV CPF 7&2 FGUVKPCVKQP RQTV
SNMP 50/2 WUGU 7&2 FGUVKPCVKQP RQTV 0&25 CNUQ WUGU 50/2 SWGTKGUVQ EJGEM RTKPVGTUVCVWUUQ KH [QW WUG 0&25 GZEGRVKQPU [QW RTQDCDN[YKNNPGGF50/2GZEGRVKQPU
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 225
Chapter 11 - Odds & Ends
November 30, 2001
SCMD 7UG6%2FGUVKPCVKQPRQTVCPF7&2FGUVKPCVKQPRQTV
SLP 6JG 5.2 NKUVGPKPI RQTV KU 7&2 FGUVKPCVKQP RQTV DWV 5.2 D[ KVU PCVWTG YQTMU QP OWNVKECUV CFFTGUUGU UQ MGGR VJCV KP OKPF YJGP FGXGNQRKPIHKNVGTGZEGRVKQPU
IPP +22RTKPVKPIWUGU6%2FGUVKPCVKQPRQTV
Renaming Your Interfaces to Public and Private ;QWYKNNJCXGPQVKEGFVJCVCNNQHVJGHKNVGTKPIGZCORNGUKPVJKUDQQM ECNNQWVKPVGTHCEGPCOGU27$.+%CPF24+8#6'/[IWGUUKUVJCVD[ PQY [QW YKUJ ;174 $QTFGT/CPCIGT UGTXGT PCOGU YGTG CNUQ 27$.+% CPF 24+8#6' 6JKU UGEVKQP VGNNU [QW JQY VQ GCUKN[ EQPXGTV VJG DQCTF PCOGU YKVJQWV FGNGVKPI CPF TGETGCVKPI VJG DQCTF FGHKPKVKQPU
CAUTION This procedure can cause major problems if you make a mistake. Be absolutely sure you have backed up the files involved before proceeding!
6JGTG CTG QPN[ HQWT HKNGU [QW JCXG VQ OQFKH[ VQ EJCPIG VJG PCOGU 6JGHKTUVUVGRKUVQOCMGCDCEMWREQR[QHVJGHKNGUKPECUG[QWOCMG COKUVCMGCPFPGGFVQIQDCEMVQVJGQTKIKPCNUGVVKPIU/CMGCDCEMWR EQR[QHVJGHQNNQYKPIHKNGUKPCFKTGEVQT[QPVJGUGTXGT +H VJGHKNGU CTG QP VJG UGTXGT [QW ECP EQR[ VJGO DCEM KPVQ RNCEG YKVJ 611.$1:0./UJQWNF[QWNQUGEQOOWPKECVKQPUCPFPQVDGCDNGVQ NQI KPVQ VJG UGTXGT 6QQNDQZ KU CXCKNCDNG KP VYQ XGTUKQPU CV http://support.novell.com/misc/patlst.htm KP VJG GVDQZGZG CPF VDQZGZG HKNGU #PQVJGT IQQF RNCEG VQ DCEM WR VJG HKNGU KU QP C HNQRR[FKUM • • • •
5;5'6%>0'6+0(1%() 5;5'6%>0'6+0(1%*- 5;5'6%>(+.6'45%() 5;5'6%>6%2+2%()
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 226
Chapter 11 - Odds & Ends
November 30, 2001
1PEG [QW JCXG C IQQF DCEMWR EQR[ [QW ECP RTQEGGF YKVJ VJG HQNNQYKPIUVGRU +P VJKU GZCORNG + CUUWOG [QW JCXG C RWDNKE KPVGTHCEG YKVJ C DQCTF PCOG EWTTGPVN[ UGV CV %:A CPF C RTKXCVG KPVGTHCEG YKVJ C DQCTF PCOG QH %: ;QWT FGUKTG KU VQ GPF WR YKVJ KPVGTHCEGUPCOGF27$.+%CPF24+8#6' 9KVJCVGZVGFKVQTUWEJCU9QTF2CF QPGYJKEJJCUCUGCTEJCPF TGRNCEGECRCDKNKV[WPNKMG0QVGRCFGFKVVJG0'6+0(1%*-HKNG CPFEJCPIGYJCVGXGTXCNWGKUKPVJGTGVQ\GTQ 'FKVVJG0'6+0(1%()HKNG5GCTEJCPFTGRNCEGCNNKPUVCPEGUQH %:AYKVJ27$.+%0GZVUGCTEJCPFTGRNCEGCNNKPUVCPEGUQH %:AYKVJ24+8#6'5CXGVJGHKNG 'FKV VJG 6%2+2%() HKNG 5GCTEJ CPF TGRNCEG CNN KPUVCPEGU QH %:AYKVJ27$.+%0GZVUGCTEJCPFTGRNCEGCNNKPUVCPEGUQH %:AYKVJ24+8#6'5CXGVJGHKNG 'FKVVJG(+.6'45%()HKNG5GCTEJCPFTGRNCEGCNNKPUVCPEGUQH %:AYKVJ27$.+%0GZVUGCTEJCPFTGRNCEGCNNKPUVCPEGUQH %:AYKVJ24+8#6'5CXGVJGHKNG +H [QW YGTG UCXKPI VJG HKNGU QP [QWT 2% EQR[ VJGO VQ VJG 5;5'6%FKTGEVQT[QPVJGUGTXGT /CMGUWTG+0'6%()KUWPNQCFGFQPVJGUGTXGT 70.1#&+2(.6QPVJGUGTXGT 4'+0+6+#.+<'5;56'/QPVJGUGTXGT .1#& +0'6%() CPF EQPHKTO VJCV [QWT DQCTF PCOGU CTG PQY 27$.+%CPF24+8#6'VJCV[QWJCXGVJGEQTTGEVPCOGHQTVJG RWDNKECPFRTKXCVG+2CFFTGUUGUCPFVJCVCP[0#6FGHKPKVKQPUCTG QPVJGEQTTGEVDKPFKPI .1#&(+.6%()CPFEQPHKTOVJCVCNNQH[QWTHKNVGTUPQYECNNQWV VJG 27$.+% KPVGTHCEG CPF VJCV [QWT HKNVGT GZEGRVKQPU ECNN QWV 27$.+%CPF24+8#6'CUPGGFGF
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 227
Chapter 11 - Odds & Ends
November 30, 2001
Fixing the BorderManager 3.5 POP3-ST Definition 6JG 0QXGNNUWRRNKGF HKNVGT FGHKPKVKQP ECNNGF 21256 KP $QTFGT/CPCIGT JCU C NKVVNG RTQDNGO 0QXGNN FKFP V GPCDNG VJG 5VCVGHWNCVVTKDWVGQPVJKUUWRRQUGFN[UVCVGHWNHKNVGTFGHKPKVKQP+H[QW NQQMCV VJG HKNVGT FGHKPKVKQP KP (+.6%()0./ [QWYKNN UGGVJCV VJG HKNVGT KU 016 UVCVGHWN 9JCV U OQTG UKPEG VJG HKNVGT FGHKPKVKQP KU C DWKNVKP FGHKPKVKQP [QW CTG PQV CNNQYGF VQ GFKV KV QT TGRNCEG KV YKVJ CPQVJGT D[ VJG UCOG PCOG /QUV RGQRNG UKORN[ ETGCVG C PGY FGHKPKVKQPYKVJCUNKIJVN[FKHHGTGPVPCOGNKMG212#56CPFGPCDNG VJGUVCVGHWNCVVTKDWVGVJGTG 6JG0QXGNNUWRRNKGFHKNVGTFGHKPKVKQPUCTGKPCHKNGKP5;5'6%ECNNGF $7+.6+05%()'FKVKPIVJKUHKNGKUCNNVJCV[QWPGGFVQFQVQHKZVJG HKNVGTFGHKPKVKQP 6JG5;5'6%>$7+.6+05%()HKNGKUCVGZVHKNGHNCIIGFTGCFQPN[ UQ [QW OWUV HKTUV HNCIKV CU PQTOCNKP QTFGTVQGFKVKV %JCPIG VQ VJG U[UGVEFKTGEVQT[CPFGZGEWVG FLAG SYS:ETC\BUILTINS.CFG N
6JCVUJQWNFEJCPIGVJGUVCVWUVQPQTOCN 0GZVWUGCVGZVGFKVQT 0QVGRCFYKNNFQVQEJCPIGVJGQPGNKPGKP VJGHKNGHQT212HTQO PROTOCOL-SERVICE IP, pop3-st, pid=TCP port=110 srcport=, Stateful POP3 Service
VQ CFFKPIVJGVGZVUVHKNV
PROTOCOL-SERVICE IP, pop3-st, pid=TCP port=110 srcport= stfilt=1, Stateful POP3 Service
&QPQVCFFCEQOOCDGHQTGVJG UVHKNV 7PNQCF +2(.60./ CPF VJGP 4GKPKVKCNK\G 5[UVGO QT TGDQQV VJG UGTXGT 0QY [QW UJQWNF JCXG C 21256 HKNVGT FGHKPKVKQP VJCV KU CEVWCNN[ UVCVGHWN
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 228
Chapter 11 - Odds & Ends
November 30, 2001
Novell's FILT01A.EXE File 0QXGNN JCU HQT UQOG VKOG RTQXKFGF C HKNG ECNNGF (+.6#':' VJCV RTQXKFGUUQOGRTGFGHKPGFHKNVGTGZEGRVKQPUHQT&05*662CPF(62 HQT DQVJ $QTFGT/CPCIGT CPF $QTFGT/CPCIGT Z ;QW YQWNF TGRNCEG [QWT GZKUVKPI (+.6'45%() HKNG YKVJ QPG QH VJG GZCORNGU RTQXKFGFKPVJGHKNG6JGTGCTGCNUQUQOGHKNVGTYQTMUJGGVURTQXKFGFKP XCTKQWUHQTOCVU6JGHKNGKUCXCKNCDNGHTQO0QXGNNŏUUWRRQTVUKVGDWV VJGTGCTGDGVVGTGZCORNGUKPVJKUDQQM
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 229
Chapter 12 - Other References
November 30, 2001
Chapter 12 - Other References %JGEMO[YGDUKVGCVhttp://nscsysop.hypermart.netHQTWRFCVGU # HCKTN[ EQORTGJGPUKXG NKUV QH RQTV PWODGTU ECP DG HQWPF CV http://www.ec11.dial.pipex.com/port-num0.shtml 6JKU 74. JCU EJCPIGFTGEGPVN[UQ[QWOKIJVJCXGVQIQVQVJGOCKPUKVG74.CPF DTQYUGVQVJGRQTVPWODGTNKPM 1VJGTUQWTEGUQHKPHQTOCVKQPQPRQTVPWODGTUECPDGHQWPFCV/CTEWU 9KNNKCOUQPŏUYGDUKVGCVhttp://www.connectotel.com/border/ +V KU CNYC[U C IQQF KFGC VQ EJGEM C OCPWHCEVWTGT U YGD UKVG HQT KPHQTOCVKQPQPUGVVKPIWRCRTQFWEVYKVJCHKTGYCNN 9GNNMPQYP RQTV PWODGTU CTG FGUETKDGF KP 4(% CPF QP PWOGTQWU+PVGTPGVYGDUKVGU7UGCYGDUGCTEJGPIKPGVQHKPFC UKVG FGVCKNKPIVJGUGRQTVPWODGTU 0QXGNN FGUETKDGUJQYVQ UGV WR C PWODGTQH HKNVGT GZEGRVKQPUKP QPG 6GEJPKECN +PHQTOCVKQP &QEWOGPV 6+& QT CPQVJGT .QQM VJGUG WR WUKPI VJG -PQYNGFIGDCUG NKPM CV http://support.novell.com CPF GPVGTKPICUGCTEJVGTOHQTVJGV[RGQHVTCHHKE[QWYCPVVQCNNQY/CP[ QH VJG 6+&ŏU FGUETKDG $QTFGT/CPCIGT HKNVGT GZEGRVKQPU PQ UVCVGHWNHKNVGTU 6JG 0QXGNN -PQYNGFIGDCUG CNUQ EQPVCKPU OCP[ 6+&ŏU QP $QTFGT/CPCIGTKUUWGUQTRTQDNGOU 2TQRTKGVCT[RTQITCOUOC[EJCPIGVJGRQTVPWODGTUVJG[WUGDGVYGGP TGXKUKQPU %JGEM VJGOCPWHCEVWTGT U YGD UKVG HQT IWKFCPEG KP UGVVKPI WRVJGRTQITCOYKVJCHKTGYCNN
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 230
Index
August 20, 2001
Index A ACK bit filtering · 15, 20, 21, 157, 161, 162, 166, 168, 170, 172, 181, 183, 187, 189, 191, 196, 197, 203 ackfilt · 198 AIM · 13, 99 altaddr · 157 AOL · 13, 99, 115, 210 AOL Instant Messenger · 13, 99, 115, 210 ARP table · 67
B Blocking Chat Programs · 116, 209 BorderManager 2.1 · 13, 14, 34, 53, 104, 112, 131, 173, 192, 193, 196, 215, 222, 229, 230 BorderManager 3.0 · 20, 34, 45, 62, 76, 112, 133, 134 BorderManager 3.5 · 128, 133, 136, 197, 222, 228 BorderManager 3.6 · 66, 104, 219 BRDCFG · 46, 47, 49, 53, 62, 64, 198, 201, 204, 206, 214, 220 BUILTINS.CFG · 68, 86, 197, 198, 222, 228
DOMAIN · 185 Dummy Static Route · 211, 212 dynamic NAT · 21, 30, 31, 34, 35, 37, 38, 41, 49, 70, 71, 100, 101, 104, 192, 206, 215, 221 Dynamic NAT · 34, 35, 36, 41, 71, 107, 216
F FILTCFG · 46, 47, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 65, 66, 70, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 198, 214, 220, 227, 228 FILTERS.CFG · 65, 68, 197, 226, 227, 229 firewall · 24, 32, 38, 63, 64, 85, 100, 101, 102, 103, 199, 213, 214, 220, 223, 230 Firewall · 223 FTP · 13, 14, 18, 38, 78, 112, 113, 140, 160, 161, 162, 192, 203, 205, 208, 222, 229 FTP-PORT-PASV-ST · 222
G GroupWise · 9, 13, 14, 114, 163, 164, 165
C
H
Chat · 116, 209, 211 Cisco · 13, 100, 101 Citrix · 13, 14, 102, 103, 156, 157, 158, 159 Client-to-Site VPN · 104, 105, 106, 107 CLNTRUST · 108 Collexion · 165, 166 CONLOG · 44, 65, 68, 70, 79, 213 CuteFTP · 160 Cyberkit · 111, 209
HTTP · 19, 34, 43, 52, 60, 61, 72, 73, 74, 75, 112, 118, 119, 131, 132, 135, 139, 140, 148, 149, 151, 152, 154, 165, 188, 189, 202, 203, 204, 207, 208, 209, 210, 229 HTTP Proxy · 19, 60, 72, 73, 74, 75, 118, 119, 132, 139, 148, 149, 151, 152, 165, 204, 207, 208, 209, 210 HTTPS · 52, 61, 135, 149, 151, 152, 188, 190, 191, 207, 208
D
I
D0.NCF · 44 D1.NCF · 44 DEBUG · 21, 36, 44, 45, 65, 66, 67, 68, 69, 70, 76, 77, 78, 79, 206, 213, 214, 215, 216, 221, 223 default filters · 18, 19, 43, 46, 47, 49, 50, 53, 62, 64, 70, 71, 72, 73, 108, 127, 148, 155, 198, 201, 207, 210, 214, 220 default route · 18, 24, 25, 26, 28, 29, 64, 67, 157 DHCP · 13, 140, 141, 142, 143, 144, 145 DMZ · 15, 199, 200, 201, 202, 203, 204, 205 DNS · 13, 34, 70, 73, 99, 110, 111, 131, 182, 192, 208, 209, 229
ICMP · 20, 71, 77, 127, 213 ICQ · 13, 99, 115, 116, 210 IMAP · 13, 14, 117, 167, 168 IPFLT · 66, 68, 97, 197, 198, 213, 214, 227, 228 IPFLT31.NLM · 66, 76, 214, 220, 222, 223
L LDAP · 225 loopback · 45, 211
Index Lotus Notes · 14, 169, 170
M Media Player · 13, 119, 120 MSN Messenger · 13, 118, 210, 212 multicast · 45, 218, 219, 224, 226
N NAT · 14, 18, 20, 21, 30, 31, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 45, 49, 70, 71, 100, 101, 104, 105, 106, 107, 114, 137, 138, 140, 141, 146, 148, 155, 156, 157, 158, 160, 161, 163, 165, 167, 169, 171, 173, 176, 177, 178, 180, 182, 183, 184, 185, 186, 188, 190, 192, 197, 199, 202, 206, 215, 216, 218, 219, 220, 221, 223, 227 NCF Files · 79 NDPS · 225 NETBIOS · 69 NETINFO.CFG · 42, 214, 215, 226, 227 NNTP · 10, 13, 14, 121, 155 Notes · 14, 169, 170 Novell Public Forums · 220, 221, 222, 225 NSLOOKUP · 111, 209, 211 NTP · 13, 122, 123, 130
P PASV · 192, 222 pcANYWHERE · 13, 14, 18, 124, 125, 126, 138, 173, 174, 175, 176, 177, 178, 179 PING · 13, 45, 70, 71, 127 POA · 163, 164 POP3 · 13, 14, 117, 128, 155, 163, 180, 181, 197, 222, 228 port 10000 · 100 port 110 · 128 port 119 · 121 port 123 · 122 port 161 · 225 port 1677 · 163 port 1755 · 119 port 1863 · 118 port 20 · 104, 106, 113, 153, 162, 196 port 2010 · 104, 106 port 2037 · 153 port 21 · 52, 56, 112 port 213 · 52, 56 port 22 · 124, 173, 178, 179 port 23 · 22, 226 port 2302 · 226 port 25 · 22, 23, 134, 182, 183, 185, 193 port 2645 · 226 port 3396 · 225 port 353 · 52, 57, 58
November 30, 2001 port 37 · 129 port 389 · 225 port 427 · 226 port 443 · 52, 61, 135, 149, 151, 188, 207 port 500 · 100 port 5190 · 99, 115, 116 port 524 · 108, 225 port 53 · 70, 110, 192 port 5631 · 124, 173, 176, 177 port 5632 · 124, 173, 174, 178, 179 port 631 · 226 port 636 · 225 port 67 · 144 port 68 · 144 port 7070 · 131, 132 port 80 · 52, 60, 73, 75, 132, 139, 146, 149, 187, 206, 207, 208 port 8008 · 146 port 8009 · 146 port 8080 · 75, 132, 208 Portal · 13, 146, 147, 196 ports 1024-65535 · 124, 173, 177, 193, 194, 195, 222, 225 Private interface · 173, 220 protocol 57 · 52 Public interface · 173, 220 Public IP address · 192
R RCONAG6 · 153, 154 RCONJ · 13, 153, 154 RDATE · 13, 129, 130 RealAudio · 13, 131, 132, 208 RealPlayer G2 · 131, 132 Reverse Proxy · 38, 43, 60, 148, 188 routing · 13, 19, 24, 26, 29, 34, 47, 67, 75, 219 RTSP · 13, 131, 133, 208
S Secondary IP address · 33 security · 15, 20, 24, 31, 38, 43, 54, 62, 63, 127, 151, 155, 192, 193, 196, 197, 199 Security · 20, 37, 62, 196, 199, 206 SET FILTER DEBUG=ON · 45, 67, 77, 78, 79, 206, 213 SET TCP IP DEBUG · 45, 65, 66, 67, 68, 76, 206, 213, 216, 223 SKIP · 52, 59 SLP · 53, 62, 226 SMTP · 13, 14, 22, 23, 134, 155, 182, 183, 184, 185, 193 SNMP · 225 SNTP · 13, 122 Spell Check · 14, 165, 166 SSL · 13, 52, 61, 135, 148, 149, 151, 152, 188, 190, 191, 207, 225
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 232
Index
November 30, 2001
stateful filtering · 14, 20, 192, 220 Stateful filtering · 99, 100, 101, 102, 103, 105, 106, 107, 108, 111, 113, 114, 116, 117, 118, 120, 121, 122, 124, 125, 126, 127, 128, 129, 132, 133, 134, 135, 136, 137, 138, 139 static NAT · 14, 18, 20, 21, 36, 37, 38, 39, 40, 41, 42, 43, 45, 49, 114, 138, 140, 141, 146, 155, 156, 157, 158, 160, 163, 165, 167, 169, 173, 176, 177, 178, 180, 182, 183, 184, 185, 186, 188, 190, 197, 199, 202, 215, 218, 223 Static NAT · 18, 38, 39, 40, 42, 43, 45, 137, 140, 148, 155, 160, 161, 163, 165, 171, 186, 202, 216 static route · 24, 206, 209, 211, 212
T
TCPIP.CFG · 42, 109, 214, 215, 216, 219, 224, 226, 227 Telnet · 136 TELNET · 13, 22, 136 Terminal Server · 13, 14, 137, 171, 172 troubleshooting · 10, 16, 77, 146, 213, 220
V VNC · 13, 14, 138, 139, 186, 187 VPN · 13, 19, 21, 42, 46, 47, 52, 53, 56, 57, 58, 59, 100, 101, 104, 105, 106, 107
W
T0.NCF · 79 T1.NCF · 79 TCPCON · 24, 67
Web Access · 14, 165
Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions Copyright 1999, 2000, 2001 - Craig S. Johnson
Page 233