Access point Xedia /cbq

[koshu]

hello group ,

We have access point now we have terminated internet bandwidth on it .now i want to filter all traffic coming for blaster form .which is tcp udp port 135,4444,445,593 etc
other traffic should pass through wan port .Can somepody help me in configureing this.I will be highly great full

Thanx a ton
Kaushalender

 

[PEagle]

First of all You must check, that some CBQ instance is stacked with network interface (WAN or Ethernet). You can do this by typing command: status.
It should seems like:
1|slot.1.1 Tcom4 T1 Driver enabled up |
2|slot.1.1 cbq.1 enabled up |
3|slot.1.1 t1.1 disabled up |
4|slot.1.1 frame-relay.1 enabled up |
5|slot.1.1 ip.1 enabled up |


Next step is to check, that root classes are enabled. So, try to type command:
> show cbq.1 traffic-class-tree summary

If you see, <none>, try to activate root classes by typing:
> remove cbq.1 traffic-class.*
Removing cbq.1 root-input-tree
Succeeded.
Removing cbq.1 root-output-tree
Succeeded.

In this example, only disabled root classes has been deleted, but is important, to do not enable some not-known classes, because You can block some important traffic. So, I recomend to completely cleanup CBQ.
Next enable basic root classes:
> config cbq.1 traffic-class.root-input-tree parent input row-status active
Creating class root-input-tree on cbq.1
> config cbq.1 traffic-class.root-output-tree parent output row-status active
Succeeded. Value(s) set to:
Creating class root-output-tree on cbq.1.

Now, output for tree command should look like:
> show cbq.1 traffic-class-tree

CBQ.1 TRAFFIC-CLASS-TREE

INTERFACE| ROW|Class Hierarchy |
cbq.1| 1|root-input-tree Rate=0 |
cbq.1| 2|root-output-tree Rate=0 |

If the bandwith, like in this exampel will be 0, try to set
defaults manualy:
> config cbq.1 traffic-class.* max-bandwidth 100000000
Configuring cbq.1 root-input-tree
Succeeded.
Configuring cbq.1 root-output-tree
Succeeded.
2 component(s) requested to be configured
2 component(s) configured

From this moment, You have active and working CBQ, so be carefull, what kind of class You define, to do not drop some important traffic.

Now we can configure Your simple firewall:
1. Define default classes, that pass all traffic. Name suffix and step order is important. Default classes always is placed on end of each level tree.
> add cbq.1 traffic-class.cbq1-in-default parent root-input-tree
Succeeded. Value(s) set to:
root-input-tree createAndGo
> add cbq.1 traffic-class.cbq1-out-default parent root-output-tree
Succeeded. Value(s) set to:
root-output-tree createAndGo
2. Then, You can sefely define any other classes, fx to block dengerouse ports on input:
> add cbq.1 traffic-class.block-in-blaster parent root-input-tree protocols udp,tcp dest-ports 135,4444,445,593 bandwidth-allocation 0 bounded true
Succeeded. Value(s) set to:
root-input-tree udp,tcp 135,4444,445,593 0 true createAndGo

You can define similar classes for src-ports and for output(just edit parent to root-output-tree). If You will get more expirences, try to use more levels (f.x create class to filter all tcp and udp traffic, and lo level class to block some ports and allocate some bandwith to Layer-7 applications: http).
It also good practice, to limit traffic for informations services, like DNS (protocol tcp,udp dst-port 53) or ICMP (protocol icmp). For ICMP You can also block some command (stay only ECHO-REQUEST, ECHO-RESPONSE and ICMP-REDIRECT).
It will resist you system from Denial-Of Service attacks.

I hope, is not to much for now and it will help You.
If You have some trouble in define CBQ, don't hesitate to contact Me.

Regards,
Peter