Link to home
Start Free TrialLog in
Avatar of Bob Conklin
Bob ConklinFlag for United States of America

asked on

SSG50 Firewall Rules

Greetings Experts..
After many days of frustration I have turned to the best  source of information I know...
I need some insight/help in getting the policies/rules for my firewall to work correctly. First, the order of rules, second, getting the traffic graphs to work and third, the order of application of the rules.
I have read the Juniper help articles and tried some things and have the firewall passing traffic but it is not working correctly.
This started after trying to create a VIP policy to allow access to my streaming server from the outside world, I can't seem to get that policy to work.
I also recall that there is supposed to be a rule that denes all traffic if there is no specific rule allowing that traffic to pass.
Any assistance would be greatly appreciated.
Thank you in advance..
Avatar of Qlemo
Qlemo
Flag of Germany image

The question is vague and broad, so our answers have to be a bit superficial.

The default deny policy is invisible and implicit.

On SSG, policies are based on source and destination zone. The zone is based on routing info.
This means your VIP policy has to be (best) on top of Untrust to Trust. Source address is usually "any" (who wants to use this service?), the destination address "VIP (interface name)", service "any" or the specific VIP service.
The VIP definition itself is important, of course, but I assume you have set that one up correctly.
To provide better advice, we will need details and a straight question ;-)
Avatar of Bob Conklin

ASKER

Good snow morning Qlemo
Here are the current policies applied to this firewall...
Total regular policies 10, Default deny.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
    17 Trust    Untrust  Any          Any          SNMP                 Permit enabled ----XX
    15 Trust    Untrust  Any          Any          POP3                 Permit enabled ----XX
    14 Trust    Untrust  Any          Any          HTTP-EXT             Permit enabled ----XX
    13 Trust    Untrust  Any          Any          DNS                  Permit enabled ----XX
    11 Trust    Untrust  Any          Any          TRACEROUTE           Permit enabled ----XX
    10 Trust    Untrust  Any          Any          FTP                  Permit enabled ----XX
     9 Trust    Untrust  Any          Any          HTTP                 Permit enabled ----XX
    19 Untrust  Trust    Any          Any          Live Stream          Permit enabled ---XXX
     8 Trust    Untrust  Any          Any          PING                 Permit enabled ----XX
    18 Trust    Untrust  Any          Any          ANY                  Permit enabled ----XX
XXX-XXX->  
The VIP is to allow live stream from a weather camera to be seen on my website. Currently it is using a custom service with a defined port specific to the software providing the stream. That port is 8125.
-Bob
I assume you are talking about policy 19, "Live Stream".
Can you show the VIP definition (with obfuscated public IP, if visible)?
Did you map internal and external port different?
Did you try with "Logging at Session Beginning" active?
RMS-FW02-> get vip
Virtual IP      Interface      Port Service    Server/Port
Public IP    ethernet3      8125 Live Stream Localip/8125(OK)
RMS-FW02->
I did set logging at session beginning, at least I placed a check mark in the box :)
Here is a screen shot of the WebUI of the setting.
SSG50_1.JPG
If eth0/3 is your WAN interface, that should work. The logging settings log both session initiation and session close, so you get the trial and real usage data (bytes and session lifetime).
The (OK) tells me that the port to Localip is open internally and responding.
So, do you get traffic logging entries if trying to access from your web page (or somewhere else outside of your LAN)? Even a telnet on port 8125 should be sufficient to see something in the logs.
Hi Qlemo
I can not connect to the streaming service from the outside world, eth0/3 is the untrusted WAN connection to my ISP. I do not see any entries in the log files for the policy nor do I see any traffic graphs.
For that matter, I have traffic graphing and logging set on all my policies and the only graph and log that shows any activity is policy #18.
I tried to telnet to the IP at port 8125 and got a time out error on the client and no log entry was generated on the firewall.
-Bob
You only see traffic on policy id 18? That's very strange, as you certainly have DNS and HTTP traffic, and those policies are located first.
Do you see traffic you would expect to be covered by other policies (e.g. DNS) in #18's traffic log? The graph is not reliable.

Your telnet test, if performed from LAN, should show in #18 and #19.

There is no other device involved than the DVR, PCs and the SSG? No router the ISP supplied?
Yes it is indeed, very strange.....
My network flow is this...
1. DSL Modem provided by IPS
2. SSG50 Firewall (does dhcp for the LAN)
3. HP Procurve 1400-24G switch
4. Clients, NAS devices, WAPs, and the usual cast of characters

I rebooted the SSG50, and now I am getting logging on most of the policies, DNS, HTTP, POP3 etc but no traffic graphs except on 18. I did not see an entry for the telnet test on 18.  I understand your comment on the graphing being unreliable so I am ok with that.
I still see nothing on 19, possible that 19 needs to be moved in the list? (grasping at straws here)
#19 is the only policy for Untrust to Trust so it does not matter where it displays in the CLI list.

I always have an inactive policy as the last one in each zone, denying and logging all traffic which I enable if I want to test for unmatched traffic. You can try that for Untrust to Trust.
I created a deny all policy on the Untrust to Trust segment...
     ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
    20 Untrust  Trust    Any          Any          ANY                              Deny   enabled ---X-X
    19 Untrust  Trust    Any          Any          Live Stream                Permit enabled ---XXX

Tried the telnet option, unsuccessful, and to open the live stream, also unsuccessful, no log entries on 19 or 20..
You would have to look at #18 (Trust -> Untrust) and #20. #19 is located after #20 and will not get hit, because #20 is more generic and matches first.
I assume it is that way, but have to ask: eth0/3 has a public IP? If so, the ISP modem is really a modem only, and should not have any effect regarding port forwarding.

Do you have a single VIP, or more than one?
You are correct, eth0/3 is my public IP supplied by my ISP. As far as I know the DSL modem is basically that, a modem. Prior to installing the SSG as my firewall I was using Smoothwall Express and  port forwarding worked. That reinforces your theory that the modem has no effect on port forwarding. I will recheck the the rules you mentioned looking for the telnet traffic and will retry the live stream looking deeper into the other log entries.
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Qlemo
I apologize for not getting back sooner, with the 4 back to back snow storms burying my area, I have not been able to work no this. Hopefully this weekend I can do some more log work and if that proves unfruitful we can start to do some traffic tracing to see where this unit is dropping the port mapping.
Emergency surgery has caused this extended period of inactivity, I wish to close the question at this point in time and will open another thread when I am able to after recovery. The issue is still unresolved at this time.