IP Office Custom Firewall Profile Entry 1

[bscolo]

I'm having difficulty with HEX notation of the custom firewall entries. I need to allow UDP 5060 through in both directions. It is my understanding that I would need to use the following:

IP Protocol: 17
Match Offset: 16
Match Length: 2
Match Data: 13C4
Match Mask: FFFF

However, it does not let me enter the Data and Mask values without adding additional 0's at the end, which changes the HEX value altogether. Can someone tell me what I'm doing wrong? Thanks in advance!

 

[tlpeter]

Don't use the IPO firewall and use a decent firewall!
The IPO does not have a good firewall.


BAZINGA!

I'm not insane, my mother had me tested!

 

[bscolo]

Thanks but I'm not really looking for opinions on the quality of the IPO firewall but instead how to properly use it. We have a hardware firewall already but I would still like to utilize the software firewall so that the IPO is not wide open on the LAN either.

 

[hairlessupportmonkey]

Since no-one here really uses it and its a total night mare to configure.

this is all the help you get:

Firewall | Custom


The tab lists custom firewall settings added to the firewall profile. The Add, Edit and Remove controls can be used to amend the settings in the list.



Usability

· Standalone: Small Office Edition , IP403 , IP406 V1 , IP406 V2 , IP412 , IP500 , IP500 V2 .

· IP Office Server Edition: IP Office Server Edition Primary Server , IP Office Server Edition Secondary Server , IP Office Server Edition Expansion System (L) , IP Office Server Edition Expansion System (V2) .

· Release: 1.0+.

· Mergeable: These settings are mergeable. Changes to these settings do not require a reboot of the system.



Configuration Settings

· Notes
For information only. Enter text to remind you of the purpose of the custom firewall record.

· Remote IP Address
The IP address of the system at the far end of the link. Blank allows all IP addresses.

· Remote IP Mask
The mask to use when checking the Remote IP Address. When left blank no mask is set, equivalent to 255.255.255.255 - allow all.

· Local IP Address
The address of devices local to this network (pre-translated). Blank allows all IP addresses.

· Local IP Mask
The mask to use when checking the Local IP Address. When left blank no mask is set, equivalent to 255.255.255.255 - allow all.

· IP Protocol
The value entered here corresponds to the IP Protocol which is to be processed by this Firewall profile: 1 for ICMP, 6 for TCP, 17 for UDP or 47 for GRE. This information can be obtained from the "pcol" parameter in a Monitor trace.

· Match Offset
The offset into the packet (0 = first byte of IP packet) where checking commences for either a specific port number, a range of port numbers, or data.

· Match Length
The number of bytes to check in the packet, from the Match Offset point, that are checked against the Match Data and Match Mask settings.

· Match Data
The values the data must equal once masked with the Match Mask. This information can be obtained from "TCP Dst" parameter in a Monitor trace (the firewall uses hex so a port number of 80 is 50 in hex)

· Match Mask
This is the byte pattern, which is logically ANDed with the data in the packet from the offset point. The result of this process is then compared against the contents of the "Match Data" field.

· Direction
The direction that data may take if matching this filter.

Drop
All matching traffic is dropped.

In
Incoming traffic can start a session.

Out
Outgoing traffic can start a session.

Both Directions
Both incoming and outgoing traffic can start sessions.




Example Custom Firewall Records

Example: Dropping NetBIOS searches on an ISPs DNS

We suggest that the following filter is always added to the firewall facing the Internet to avoid costly but otherwise typically pointless requests from Windows machines making DNS searches on the DNS server at your ISP.

· Direction: Drop

· IP Protocol: 6 (TCP)

· Match Offset: 20

· Match Length: 4

· Match Data: 00890035

· Match Mask: FFFFFFFF



Example: Browsing Non-Standard Port Numbers

The radio button for HTTP permits ports 80 and 443 through the firewall. Some hosts use non-standard ports for HTTP traffic, for example 8080, 8000, 8001, 8002, etc. You can add individual filters for these ports as you find them.

You wish to access a web page but you cannot because it uses TCP port 8000 instead of the more usual port 80, use the entry below.

· Direction: Out

· IP Protocol: 6 (TCP)

· Match Offset: 22

· Match Length: 2

· Match Data: 1F40

· Match Mask: FFFF



A more general additional entry given below allows all TCP ports out.

· Direction: Out

· IP Protocol: 6 (TCP)

· Match Offset: 0

· Match Length: 0

· Match Data: 00000000000000000000000000000000

· Match Mask: 00000000000000000000000000000000



Example: Routing All Internet Traffic through a WinProxy

If you wish to put WinProxy in front of all Internet traffic via the Control Unit. The following firewall allows only the WinProxy server to contact the Internet : -

1. Create a new Firewall profile and select Drop for all protocols

2. Under Custom create a new Firewall Entry

3. In Notes enter the name of the server allowed. Then use the default settings except in Local IP Address enter the IP address of the WinProxy Server, in Local IP Mask enter 255.255.255.255 and in Direction select Both Directions.



Stopping PINGs

You wish to stop pings - this is ICMP Filtering. Using the data below can create a firewall filter that performs the following; Trap Pings; Trap Ping Replies; Trap Both.

· Trap Pings: Protocol = 1, offset = 20, data = 08, mask = FF

· Trap Ping Replies: Protocol = 1, offset = 20, data = 00, mask = FF

· Trap Both: Protocol = 1, offset = 20, data = 00, mask = F7, Traps Both.





ACSS - SME
General Geek

 

[IPGuru]

The IPO firewall will not do what you require.
it is only used to restrict data between various networks ion the IPO
data lan2>lan 1 or data to an IP Offcie data service
it will not stop a PC on the data network connecting to the IPO

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[intrigrant]

The firewall can only be used on LAN2 which is named WAN. Applicationd should only be used on LAN1 so you cannot use the IP Office firewall to control LAN traffic.

A simple mind delivers great solutions

 

[bscolo]

The PC LAN is LAN2 and the phones are on a separate VLAN (to segregate traffic) on LAN1 so this configuration will work and it does when I don't use the firewall policy. I already have the manual so cutting and pasting it here is not much help. It seems to me that no one really knows how to use this, not that it shouldn't be used. I'll keep looking, thanks.

 

[amriddle01]

Seems you're the expert.... but I doubt the IP Office is doing the routing for you, if it is that's also a bad idea (and not actually a VLAN just a different a subnet)


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)

 

[bscolo]

I'm no expert, which is why I'm on here but I'm not looking for commentary and analysis of the setup just a better understanding of the feature and how to properly use it. It seems to me that the difficulty around configuring the firewall policy is the reason people do not use it and not because it doesn't work. I don't mean to sound unappreciative but cutting and pasting manual entires or telling me not to do something without providing some sort of documentation as to why do not seem to be good community forum policy.

You are correct, the phones are on a separate subnet from the computer and routing to that subnet is provided by the IPO. Everything works fine until I enable the default firewall policy. I just need a better understanding of how to properly open ports.

 

[hairlessupportmonkey]

As mentioned, no one here uses the firewall feature, for the very issue you are having. Its ineffective and difficult to implement.

You are better off investing in some other form of firewall. A Cisco ASA or such like might be a better bet and less painful and cheaper in the long run.

ACSS - SME
General Geek

 

[amriddle01]

But what they are trying to tell you is the firewall is only relevant if the IP Office is actually passing the traffic THROUGH itself between the PC subnet and the Voice subnet i.e acting as the router. Having the LAN port plugged into one VLAN and the WAN/LAN2 port plugged in the other is not the same thing and will not in fact use the firewall rules even if you manage to add them


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)

 

[bscolo]

It IS passing traffic between the two networks. The Internet is only available on the PC LAN.

 

[hairlessupportmonkey]

What are you routing traffic through the IPO?

Leave the networks independent. LAN1 for Data, and LAN2 for voice. No need to NAT or firewall?

Perhaps I'm having a late Friday moment, but I'm not even sure what you are trying to do.

ACSS - SME
General Geek

 

[amriddle01]

No it is not passing traffic between the two networks, it is simply connected to both. Lets say the PCs are on Network A and the handsets on network B. Only if the router that connected to the internet was on network B with the PCs using the IP Offices port in Network A as the default gateway would that be true. I am willing to bet that isn't the case, even if it was the firewall would only apply if you were trying to connect to the IP Offices port connected to Network B from a PC on Network A, this is also not the case I would wager


Avaya Implementation Qualified Professional Specialist Technical Engineer (AIQPSTE)

 

[intrigrant]

Putting Voice on LAN1 and data ( applications ) on LAN2 is a bad idea and Avaya does not advise you to do so.
This is because the system is designed for data on LAN1 and voice and voice trunks on LAN2 ( they don't name it WAN for no reason ).
The Avaya Firewall is intended to use if NAT over LAN2 is used. Desing intend for this is to use LAN1 as the data lan with IPO as the default router there and connect Internet to LAN 2 with NAT and Firewall enabled.
I don't see any customer wanting to do so as they have better equipment as a telecom switch for routing and firewalling ( even at my home I have more reliabe equipment ).

A simple mind delivers great solutions

 

[TomMills]

interesting to see someone using this. I remember my first ever IPO training course, we were told to delete the entry that was in there and never look at it again

http://www.twitter.com/tem1985

APSS/ACIS/ACSS-SME
not arrogant, just succinct.

 

[phonesaz]

bscolo - a couple of the people who are responding to your questions are undoubtedly the best there is out there... no gratuitous flattery intended... if they say don't do it looking elsewhere will be a waste of your time. They are better than the support you will get from Avaya directly that you pay lots of money for. Not telling you what to do, just an impartial opinion.

 

[bscolo]

Understood, we added back in a router and put the IPO in a DMZ.

 

[intrigrant]

Wise and a lot better

A simple mind delivers great solutions