GE MDS ORBIT MCR Technical Manual page 225

Using the CLI
To use the CLI to create and apply the same packet filters as the example above, first change to CLI
configuration mode, and follow the steps below. Change to CLI configuration mode:
1. Enable firewall service
% set services firewall enabled true
Create a "restrictive" filter named Cell_Inbound_Traffic to indicate that this filter has been
2.
designed to be applied to an untrusted cellular interface of MCR. The cellular interface can be
considered untrusted as it is connected to public cellular network, which is inherently an untrusted
network.
% set services firewall filter Cell_Inbound_Traffic
3. Create rule to permit encrypted IPsec tunnel traffic i.e. traffic with protocol=ESP
% set services firewall filter Cell_Inbound_Traffic rule 1 match protocol esp
% set services firewall filter Cell_Inbound_Traffic rule 1 actions action accept
4. Create rule to permit traffic for the following UDP services: DNS, NTP and IKE (to allow IPsec
connection setup).
% set services firewall filter Cell_Inbound_Traffic rule 2 match protocol udp src-port services
[dns ike ntp]
% set services firewall filter Cell_Inbound_Traffic rule 2 actions action accept
5. Create rule to permit traffic for following TCP services: SSH and NETCONF (to allow
management of MCR):
% set services firewall filter Cell_Inbound_Traffic rule 3 match protocol tcp dst-port services
[netconf ssh]
% set services firewall filter Cell_Inbound_Traffic rule 3 actions action accept
NOTE
The rule stated in step 5 permits SSH or NETCONF connection addressed to the cellular
interface's IP address. If it is desired that SSH or NETCONF connection only be allowed via
the VPN tunnel, then remove rule 3 and instead apply appropriate filter to IPsec connection.
Create the last rule for this "restrictive" filter to deny everything else. Note that rules are applied in
6.
ascending order using rule IDs. Any rules added after this last rule will have no effect, as they
would match "any" traffic and be dropped. In this example rule ID 10 is chosen. This facilitates the
insertion of new rules prior to this last one to support future new traffic types.
% set services firewall filter Cell_Inbound_Traffic rule 10 match protocol all
% set services firewall filter Cell_Inbound_Traffic rule 10 actions action drop
Apply this filter to incoming direction on cellular interface "Cell".
7.
% set interfaces interface Cell filter input Cell_Inbound_Traffic
Create a "permissive" filter that permits all traffic. Later on, if needed, this filter can be enhanced to
8.
deny certain traffic from getting out of the cellular interface.
% set services firewall filter Cell_Outbound_Filter rule 10 match protocol all
% set services firewall filter Cell_Outbound_Filter rule 10 actions action accept
Apply this filter to outgoing direction on cellular interface "Cell".
9.
% set interfaces interface Cell filter output Cell_Outbound_Filter
10. Commit configuration and exit configuration mode.
% commit
Commit complete.
Monitoring
At this time there are no commands to monitor traffic statistics for packets being dropped or permitted by
the firewall. This feature may be added to future revisions of firmware.
MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 225