Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question on rules (filters) on Contivity 1100

Status
Not open for further replies.
DamFam

DamFam

IS-IT--Management
Sep 20, 2006
32
CA
Hello,

I am trying to set up a transparent web proxy behind a Contivity 1100.

I have put a filter in place stating that port 80 is denied for all going OUT.

I want to now allow JUST the IP of the web proxy to access port 80, without giving anyone else access.

I've tried:

- A filter allowing the IP of the web proxy to access port 80, listed BEFORE and AFTER the "deny all" port 80 filter. (tried it both ways)

- A filter allowing the IP of the web proxy wide open access (any) and listed it BEFORE and AFTER the "deny all" port 80 filter. (tried it both ways)

In all 4 scenarios, web access is still blocked from the IP of the web proxy. It seems that regardless of the position in the filter list, the "deny all" port 80 filter gets priority.

So, what can I do here, or what am I doing wrong?

To re-iterate, I want to deny ALL access to port 80, with the exception of the one computer (the web proxy)

Thanks!
 
Sort by date Sort by votes
I'm not 100% sure but don't the IP masks on the filters use inverse masks?

If you wanted to create a filter for a class C network you could need to use 0.0.0.255 instead of 255.255.255.0.

Perhaps that's your problem.

Cheers!
 
Upvote 0 Downvote
Thanks for the reply. I tried that, with the same result.

Another possibility - On the contivity 1100, is it possible to set a single PC in a DMZ? That would work as well. I've looked through it, and so far come up with nothing
 
Upvote 0 Downvote
I was also assuming that your setting up a filter to allow ALL established traffic back through the interface (we are talking about an interface filter right with the 1100 acting as a router).

If you allow 80 outbound from 1.1.1.1, you'll need to allow all established inbound to 1.1.1.1.

If you have the Advanced License you can use the statefull firewall, in which case you don't need to setup a filter to allow the returning (established) traffic back through.

Cheers!
 
Upvote 0 Downvote
There is already a "permit all in" filter applied to the interface, so that should take care of that requirement, I would think.

It seems like all packets get applied against all filters, rather than stopping at the first match, which is contrary to what I am used to, when dealing with firewall rules/filters.

Normally the first rule/filter match is the one that gets applied to the packet. In this case, it doesn't seem to matter what order they are in, all packets get applied to all filters - which, quite frankly, is pretty annoying.
 
Upvote 0 Downvote
The filters work on a first match rule so the order is important.

I assume you are configuring interface filters rather than tunnel filters as you haven't mentioned VPN's

Have you added the filters you created to the interface you want them on? They are added under the "LAN interfaces" screen.
 
Upvote 0 Downvote
Thanks Andy

The "permit all" filter is in use, applied to my LAN interface.

I am adding the rules to that filter.

The first rule in the filter is "permit all in"
Then there is a "deny http out" rule I created, blocking port 80
then there is a "permit all out" after that rule.


I created rules allowing ALL traffic in, and ALL traffic out to/from the IP of my web filter, and placed those rules ahead of the "deny http out" rule - but port 80 traffic is still blocked unless the "deny http out" rule is removed.

There are other rules in the filter in regards to SMTP and other items, but nothing else that would have any effect on http traffic.
 
Upvote 0 Downvote
Have you got the filters the right way round?

For inbound filters the address field is a destination address, for outbound it is a source address.

As such to allow from proxy to port 80 you can only use an outbound filter. Apply it to the incoming interface from the proxy

outbound filter "allow IP <proxy IP address> HTTP

 
Upvote 0 Downvote
Hi Andy,

Thanks again

Yes, I think I understand correctly.

Rule called "allow proxy" is as follow:

outbound
allow ip 10.x.x.x (ip of the web proxy)
protocol TCP
Port 80
as for the established or "don't care", I leave it at "don't care"

I put this new rule ahead of the "deny all port 80" rule, within the "permit all" filter, which is applied to the LAN interface.

Web access from the proxy is still denied.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Muhannad Haj Issa
  • Locked
  • Question
Avaya Vanyage On Call Contact image
Replies
0
Views
241
Muhannad Haj Issa
Muhannad Haj Issa
Beg.inner
  • Locked
  • Question
Avaya Auth code on separate line for SIP phone
Replies
1
Views
214
Westi
Westi
R Wills
  • Locked
  • Question
Avaya Site Admin for MAC's on Avaya 8710
Replies
0
Views
101
R Wills
R Wills
TEL MGR
  • Locked
  • Question
Recording Police radios on Avaya Call Recorder
Replies
0
Views
80
TEL MGR
TEL MGR
UnderTheBusAsUsual
  • Question
Avaya IPO with OneCom and Gamma SIP trunks
Replies
1
Views
307
Firebird Scrambler
Firebird Scrambler

Part and Inventory Search

Sponsor

Back
Top