Setting up an ACC Colorado router

IP packet filtering

Individual named IP filers can be grouped into a profile (named filter groups.)

1. Define the named IP filters needed for the network with the add profile ip filter entry command.
2. Create profiles and assign named IP filters to them with the add profile entry command. A named IP filter is not restricted to being in one profile; the same filter can be in multiple profiles assigned to different ports.
3. Apply the profiles to ports as needed with the add profile port assignment command. or:
   Add the global designation to profiles destined for application to all interfaces using the add profile global assignment command or the add profile entry command.

Note: The input instruction in the add profile ip filter entry command does NOT mean that it is called whenever a packet comes in from the Internet through your leased line: Just like Linux' IPchains software, the Colorado router offers input and output states, ie. you can have the router call certain profiles when a packet comes in, and a second set of profiles before a packet leaves the interface. Keep it simple, and only create INPUT filters, and apply the profiles to which they belong to your external interface while letting any outgoing packet to the Net.

Deleting IP filters and profiles

If a filter is referenced by a profile, you must first remove this reference before Colorado will let you delete this IP filter:

delete profile elements MyInputProfile smtp1
delete profile ip filter entry smtp1
delete profile entry MyInputProfile

Displaying filter information

display profile ip filter table
display profile ip filter entry smtp1
display profile ip application entry J1
display profile table

Displaying physical port information

display physical port table

Q&A

What's the use of ADD PROFILE ELEMENTS?

Is it used to add filters after using the inital ADD PROFILE ENTRY command, ie. ADD PROFILE ENTRY is used to create a new profile and add some filters in one shot, while you have to use ADD PROFILE ELEMENTS to add other filters to an existing profile.

What's the difference between ADD PROFILE PORT ASSIGNMENT, ADD PROFILE GLOBAL ASSIGNMENT, and ADD PROFILE ASSIGNMENT

? Is the former used to bind a profile to a specific interface, and the latter, to bind a profile to all interfaces (ie. serial and ethernet) ?

How can ADD PROFILE ENTRY be used to assign profiles to ports?

Real-life example

We want to only allow access to a few public servers from the Internet into our LAN, which uses a public Class C network number granted by our ISP:

/*Outside-In filters*/
add profile ip filter entry wwwtdb input 129.192.64.19 255.255.255.255 0.0.0.0 0.0.0.0 = 0x6 = 80 normal
add profile ip filter entry smtp input 129.192.64.20 255.255.255.255 0.0.0.0 0.0.0.0 = 0x6 = 25 normal
add profile ip filter entry pop3 input 129.192.64.20 255.255.255.255 0.0.0.0 0.0.0.0 = 0x6 = 110 normal
add profile ip filter entry ftpdata input 129.192.64.0 255.255.255.0 0.0.0.0 0.0.0.0 = 0x6 = 20 normal
add profile ip filter entry dns input 129.192.64.0 255.255.255.0 194.79.160.0 255.255.255.0 normal
add profile ip filter entry blockall input 129.192.64.0 255.255.255.0 0.0.0.0 0.0.0.0 discard
add profile entry tdb wwwtdb smtp pop3 ftpdata dns blockall
add profile port assignment j3 tdb

/*Inside-Out filters*/
add profile ip filter entry wan-in input 0.0.0.0 0.0.0.0 129.192.64.0 255.255.255.0 normal
add profile ip filter entry wan-out output 0.0.0.0 0.0.0.0 129.192.64.0 255.255.255.0 normal
add profile entry myout wan-in wan-out
add profile port assignment j5 myout

/*Add a new filter to an existing profile*/
add profile elements tdb blockall

/*Remove references to filters in profiles, and delete filters*/
delete profile elements myout wan-in
delete profile elements myout wan-out
delete profile ip filter entry wan-in
delete profile ip filter entry wan-out

Saving and restoring configuration through TFTP

To save the configuration file to a TFTP host

1. Log in to the TFTP host
2. Change to the default TFTP directory on the TFTP host (eg. cd /tftpboot)
3. Initiate a TFTP session with the router (eg. tftp gateway.acme.com)
4. Set the TFTP transfer mode to ASCII (mode ascii)
5. Get the configuration file (get config.scr. gateway.scr)
6. Quit the TFTP session (quit)

To restore the configuration file using TFTP get

1. Log in to the router
2. Use the tftp get command or scriptload command to download the configuration file (eg. tftp get tftpserver.acme.com gateway.scr)
3. Make the new configuration file active using the set file primary command (reload 1 gateway.scr)
4. (optional) Save this new configuration (set configuration save)

To restore the configuration file using scriptload

1. Log in to the router
2. scriptload tftpserver.acme.com gateway.scr
3. (optional) Save this new configuration (set configuration save)

Resetting or reloading Colorado

Some commands only take effect after running the reset command. To tell Colorado to reload with the new configuration file that you downloaded from the TFTP server, run reload file. To tell Colorado to reload its saved configuration file, run set configuration load.

Restricting Telnet/TFTP Access

Use the add access entry to restrict Telnet access only from specific hosts:

#public = read-only mode; O = from all ports on the remote host
add access entry 1.0.0.3 255.255.255.255 0 public 
#netman = read-write mode
add access entry 1.0.0.3 255.255.255.255 0 netman

Use display access table to check which hosts (up to 8) are allowed to telnet to the router.

Resources

• http://www4techs.acc.com/docs/docs.htm
• http://www4techs.acc.com/catalog/colorado.htm
• http://www.ericsson.com/datacom/support/ipaccess_documentation.shtml

Command-line interface

-B backup to previous commands
-F forward to later commands
-R re-displayes the previous commands

Scratch pad

When the router receives an IP packet on an interface for which IP routing is enabled (an interface listed in the IP network table), the input list for the interface on which the packet was received is applied. If the packet is not discarded, the global filter list is applied. The packet is routed and the output list for the destination interface is applied. If the packet is not discarded, it is forwarded to the destination interface.

Parameters and options are defined as follows:

• input indicates that the filter is to be added to the input list. Input filters are applied to packets received on the interface phys_port_id.
• output indicates that the filter is to be added to the output list. Output filters are applied to packets forwarded through the interface phys_port_id.
• phys_port_id indicates the physical interface, dial port, or multilink group the packet must be received on or transmitted to (as appropriate) for the filter to be applied.
• global indicates the filter is to be added to the global list. Global filters are checked when forwarding any IP datagram.

After applying the blockall filter disallow, I can no longer work with Internet hosts (eg. checking a web page). Should I add a filter previously to allow all incoming connections to ports > 1024?

op2 specifies the test to be applied to the TCP or UDP port. This parameter is optional and consists of d or s which specify, repsectively, that the test is to be applied to the destination or source port. It also contains an operator that indicates how the specified port is to be tested against the port parameter. The operators are = (equal), ! (not equal), < (less than), or > (greater than). The 12 possible values for op2 are: = ! < > d= d! d< d>

=> add profile ip filter entry ackpackets input 129.192.64.0 255.255.255.0 0.0.0.0 0.0.0.0 d>1023 normal