Hello, friend!
The MA5616 filters data packets using the four firewall techniques listed in the following table.
| Technique | Function | Feature |
| Firewall blacklist | A firewall blacklist filters data packets by source IP address.
| Matching source IP addresses against a blacklist is simple, and packets can be quickly filtered. However, because data packets are filtered by only one rule, this process lacks flexibility. |
| Firewall blacklist and advanced access control list (ACL) rules | The combination of a firewall blacklist and advanced ACL rules enables the MA5616 to further filter packets by advanced ACL rules.
| Data packets are filtered based on a firewall blacklist and advanced ACL rules. The filter rules can be flexibly configured. |
| ACL-based packet filtering firewall | An ACL-based packet filtering firewall verifies data packets at the network layer and forwards or denies them according to the security policy. | Advantage: This technique supports more flexible configurations and better filtering capabilities than firewall blacklist.
Disadvantages: The packet filtering performance deteriorates sharply as the ACL complexity increases. The MA5616 does not check the session status or analyze any data, and is vulnerable to IP spoofing attacks.
|
| Unauthorized login prevention | The MA5616 prevents unauthorized logins by setting the IP address segments permitted by denied by the firewall for specified protocol types. | N/A
|
Procedure
1. Configure a firewall blacklist.
a. Run the firewall blacklist item command to add source IP addresses to the firewall blacklist.
The data packet carrying a source IP address in the firewall blacklist is considered to be untrustworthy.
b. Run the firewall blacklist enable command to enable the firewall blacklist.
2. Configure a combination of a firewall blacklist and advanced ACL rules.
a. Run the firewall blacklist item command to add source IP addresses to the firewall blacklist.
b. Configure advanced ACL rules to filter out data packets that carry a source IP addresses specified in the blacklist.
1) Run the acl command to create an ACL. The firewall blacklist only supports an advanced ACL ranging from 3000 to 3999.
2) Run the rule(adv acl) command to create an advanced ACL rule.
3) Run the quit command to return to global config mode.
c. Run the firewall blacklist enable acl-number acl-number command to enable the firewall blacklist and apply the advanced ACL rule to packets that carry a source IP address specified in the blacklist.
3. Configure an ACL-based packet filtering firewall.
a. Run the acl command to create an ACL. The firewall blacklist supports basic and advanced ACLs ranging from 2000 to 3999.
b. Run the rule command to create an ACL rule.
1)Run the rule(basic acl)(basic acl) command to create a basic ACL rule.
2)Run the rule(adv acl) command to create an advanced ACL rule.
c. Run the quit command to return to global config mode.
d. To configure a firewall filtering rule for an METH port, run the interface meth command to enter METH mode. To configure a firewall filtering rule for a VLAN interface, run the interface vlanif command to enter VLAN interface mode.
e. Run the firewall packet-filter command to apply the firewall filtering rule to the interface.
Note:
When you run the firewall packet-filter command to activate an ACL, the MA5616 software determines the priority of the ACL sub-rules. The earliest-configured ACL sub-rules have the highest priorities.
f. Run the firewall default command to configure a packet filtering rule for packets that do not match any ACL rule.
g. Run the firewall enable command to enable the firewall function for ACL-based packet filtering. The firewall is disabled by default.
h. To perform ACL-based packet filtering on a port, enable the firewall function.
4. Configure a permitted or denied IP address segment to prevent unauthorized logins.
The system supports management channel firwall. To prevent the management terminal with an unauthorized IP address from logging in to the system, configure management channel firwall. Then, only the management terminals with authorized IP addresses can log in to the system.
The system supports firwall for SNMP packets. To prevent the SNMP packets with unauthorized packets from accessing the system, configure the firewall for SNMP packets. Then, only the SNMP packets with authorized IP addresses can access the system.
a. Run the sysman ip-access command to configure an IP address segment that is permitted to connect to the MA5616 through Telnet, Secure Shell (SSH), or Simple Network Management Protocol (SNMP).
b. Run the sysman ip-refuse command to configure an IP address segment that is not permitted to connect to the MA5616 through Telnet, SSH, or SNMP.
c. Run the sysman firewall protocol-type enable command to enable the firewall function based on the protocol type (Telnet, SSH, or SNMP). The protocol-based firewall is disabled by default.
Thanks!
