| Previous Contents Index Next |
| iPlanet Portal Server Administration Guide |
Appendix A Administering the Firewall Application
This chapter describes the following:
How the iPlanet Portal Server firewall application works
How to configure and administer the iPlanet Portal Server firewall application using the command line
iPlanet Portal Server Firewall Application
In most iPlanet Portal Server applications, a separate firewall is used to restrict external access to the iPlanet Portal Server gateway to traffic on TCP Port 443, or to the port you have configured to carry SSL traffic.For situations in which an external firewall does not exist, iPlanet Portal Server provides the option of installing an internal firewall, which offers limited configuration options. If you want greater control over the ports and traffic than this firewall application provides, you must install a firewall product like Sun Microsystems' SunScreen EFS.
If you choose not to install the iPlanet Portal Server firewall application, make sure that you configure your existing firewall to restrict external access (access from the Internet) to the iPlanet Portal Server gateway to the SSL port only (port 443 by default), while leaving full access to the iPlanet Portal Server gateway from all machines and all ports on the internal or private network. This assumes that everyone logging in from the Internet to have access to iPlanet Portal Server.
Note Port 443 is the usual default port for SSL traffic, and the instructions throughout this chapter assume that you selected port 443 for SSL traffic.
How the Firewall Works
The iPlanet Portal Server firewall application uses proven Sun Microsystems' firewall technology to protect your network with dynamic packet filtering.Dynamic packet filtering means that firewall examines each packet as it arrives. Based on information in the packet, the state retained from previous events, and a set of rules that implement the security policy for access control, the firewall passes the packet from one network to another (that is, from the Internet to your intranet) or drops it.
The iPlanet Portal Server firewall application uses a set of ordered rules to filter packets. When you configure the iPlanet Portal Server firewall application, you translate the security policies for this product into a series of rules that specify which services are to be allowed, what to do with packets for services that are disallowed, and what to do when packets are dropped. You then place these rules in sequence to specify which rules override others.
When the iPlanet Portal Server firewall application receives a packet, it tests the packet against the rules in order. The firewall does not test each packet against each rule; it assumes that the first rule to match the service, source address, or destination address of the packet is the rule that controls the packet. Depending on the settings in the applicable rule, the firewall passes or drops the packet. If the packet does not match any rule that specifically allows it to pass, the firewall drops it.
Configuring the iPlanet Portal Server Firewall Application
The firewall application is the only application in the iPlanet Portal Server software that you configure and administer solely through the command-line user interface. It uses a special version of Sun Microsystems' proven firewall technology.The fw.configure command is the command used to install and minimally configure the firewall application. You usually run this command as part of the installation procedure on the iPlanet Portal Server gateway.
Note The commands for the iPlanet Portal Server firewall application are located in /opt/SUNWsrfw/bin.
To Configure the iPlanet Portal Server Firewall Application
As root, run the following command on the iPlanet Portal Server gateway to bootstrap the firewall to a point where it can filter network packets:
Respond to the questions to activate and minimally configure the firewall.
Add or change rules as necessary to configure your firewall fully.
- The fw.configure process initializes the firewall application.
- By default, only packets coming from the external iPlanet Portal Server gateway interface are examined and few rules are installed. fw.configure installs the following three default rules that:
Allow external access from the iPlanet Portal Server gateway's Internet interface to the SSL port. (The default port number is 443.)
Allow the iPlanet Portal Server gateway access to anywhere.
Allow routing information from the Internet interface on the iPlanet Portal Server gateway to be updated.
Reboot the iPlanet Portal Server gateway after the command fw.configure finishes running for the rules to take effect.
- Everything that is not expressly allowed in these rules is denied.
Administering the iPlanet Portal Server Firewall Application
You must administer the firewall application as root (superuser). You administer the iPlanet Portal Server firewall application only from the command-line user interface. There are only four commands used to administer the firewall application:
Using fw.activate to turn on firewall
This command turns the firewall application off or on. Turning the firewall application off means that it is no longer filtering inbound and outbound packets. Turning the firewall application on reactivates the rules that were active before it was turned off.
As root, type the following to turn the firewall application off:
As root, type the following to turn the firewall application on:
Using fw.address to change address
This command manipulates address definitions that the firewall application's packet filtering rules use. Use this command to:
Add the IP address for a machine that is located on the Internet. When you add an IP address, you name it; e.g., sales_office_boston. You can also include a descriptive comment for the address that you are defining.
Add a range of IP addresses for machines that are located on the Internet. You only need to specify the beginning IP address and the ending IP address of the range. You name this range when you define it. You can also include a descriptive comment for the range of addresses that you are defining.
Add a list of IP address that consists of host addresses, ranges of addresses, and other address lists.
Delete an address by IP address or by name from the address file.
List a particular address by name or all the address that are currently defined in the address file.
Address Management
The firewall application identifies network elements—networks, subnetworks, and individual hosts—by mapping a named address object to one or more addresses. These address objects are used in defining the firewall application's network interfaces and as a source and destination addresses for rules. An address object can represent a single computer or a whole network. You can gather address objects representing individual and network addresses together to form address groups. The firewall application lets you define address objects that specifically include or exclude other address objects (single IP hosts and ranges of contiguous IP addresses).
Individual IP Addresses
The firewall application identifies an individual host by linking its unique IP address to an address object, which can use the name or IP address of the host.
To add an address, as root type the following. For example:
# fw.address add myhost HOST 1.1.1.1 "An example of an added \ address named myhost"
Address Ranges
An address range is a set of numerically contiguous IP addresses. Networks and subnetworks are typically identified by an address range name. Use the beginning and ending addresses to identify an IP address range.
To add a range of addresses, as root, type the following to add a range of addresses. For example:
# fw.address add mynet RANGE 1.1.1.1 1.1.1.5 "An example of a \ range of address named mynet"
To delete an address or a range of addresses that you have named myhome, for example, as root type the following:
- The range represents all the addresses inclusive between the address 1.1.1.1 and 1.1.1.5. It is named mynet.
To list an address, as root, type the following to list a single name of an address or a range of addresses, for example:
To list all addresses, as root, type the following to list all addresses currently defined:
- The address range currently defined as myhome is listed.
- All addresses currently defined are listed.
Using fw.rule for packet filtering
This command uses various options to manipulate the firewall application's packet filtering rules. You can change the action, service, or both by writing new rules, deleting old rules, and moving rules to the position that you want. Use fw.rule to:
Add a rule with a new action (ALLOW or DENY) or a different service or both. ALLOW means permit the packet that meets the qualifications in the rule through. DENY means reject the packet. You also add new port numbers with this command.
Delete a rule from the list of rules.
List the ordered rules governing the firewall application or to list the interface that the firewall application is using.
Move a rule from one position to another in the ordered list of rules, thus changing the order in which it will take effect.
- The configurations for the basic firewall application are based on sets of ordered rules. The default rules that are installed with the basic firewall establish a security policy that works well with iPlanet Portal Server. These rules specify the action to be taken for services between two addresses that are on different interfaces of the firewall.
To list the rules, as root, type the following to list the rules:
To add a rule, as root, type the following:
- The rules (in this case, the default rules) are listed in the order in which they examine incoming packets.
1 ALLOW "ssl" from "le0" to "localhost"
2 ALLOW "common services" from "localhost" to "*"
3 ALLOW "rip" from "*" to "*"
# fw.rule add ALLOW service from host to host
To delete a rule, as root, type the following:
- This rule lets you add a service from a named remote host to a local host. Use the list option to see the new list of rules.
To move a rule, as root, type the following:
- Rule number 4 is deleted. Use the list option to see the new list of rules.
- Rules 5 and 4 are reordered. Use the list option to see the new ordering.
Using fw.services supplied
The basic firewall application is shipped with a number of predefined network services, such ftp, telnet, dns, and rsh, as well as predefined service groups.
Standard Services
Besides the basic services, every TCP/IP implementation provides services such as echo, discard, daytime, charge, and time. Each service use a state engine, a sort of protocol checker. For example, the FTP state engine checks port numbers when the ftp service is being used.
Service Groups
In addition to the basics services, the basic firewall application is shipped with predefined service group. One such group is common services, which consists of tcp traffic on port 0 to 3850 or port 3855 to 65535, udp traffic on all ports, syslog, dns, rpc, nfs, icmp, route, ftp, rsh, real audio, pmap udp all, nis, archie, traceroute, and ping.
To list all services, type the following:
To list the services with the service name, type the following:
- Use this command with the option list service to list the available services and with the option list interface to list the interface that the firewall application is using.
# fw.services list servicename To delete the service with the service name, type the following:
# fw.services delete servicename To add a port, as root, type the following:
# fw.services add NAME protocol port-number
Firewall Troubleshooting
To avoid problems in configuring and using the iPlanet Portal Server firewall application, follow these suggestions:
Do not run the command fw.configure through the public interface.
Run the command fw.rule list interface to see which network interface is currently enabled or is controlled by the iPlanet Portal Server firewall application.
Run the command fw.rule list rule to display a list of the current filtering rules.
If you are completely locked out, try one of the following:
With regard to the firewall application, disabled means that the firewall will pass all traffic through it unfiltered.
Previous Contents Index Next
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.
Last Updated May 04, 2000