Transparency Firewall

Summary

We provide a transparency type firewall that filters passing packets by bridging between interfaces.

With an L3 firewall, the network to connect to the router must be a different segment. For this reason, when you want to use just a firewall, each interface has to be assigned a different IP address, and in existing networks in some cases it has been difficult to add firewalls..

In such cases, you can use a transparency firewall to install a firewall without changing any of the existing settings in the router and PC. If you already have a router for your Internet connection installed and do not want to change routers, or if you want to add firewalls in bulk to many branches, you can use a transparency firewall for ease of deployment.

Transparency Firewall Connection Diagram

Settings for various types of filters are the same for both L3 and transparency firewalls. If you are familiar with traditional L3 firewall setting, you can do the settings without concern about differences of types of operation.

Notes

  • PPPoE is not supported.
    For this reason, you cannot set one up on the Internet side (WAN side)
  • You cannot apply filters to communications between each of the ports on LAN1.

Compatible Models & Firmware Revisions

The following models and firmwares in the Yamaha RT series support transparency firewalls.

Model Firmware
FWX120 Rev.11.03.16 or later

Details

Transparency Firewalls and Bridge Interfaces

Use a Bridge Interface for a transparency firewall. A bridge interface is a virtual interface for realizing a bridge between interfaces. In the explanations after this point, we will call the actual interface accommodated by a bridge interface an "accommodated interface."

For instance, to accommodate an actual interface in a bridge interface, set it up as follows.

bridge member bridge1 lan1 lan2  

Details on commands are explained in "Bridge Interfaces", but note here that to use a bridge interface you only need to designate actual interfaces called lan1 and lan2. In this example, lan1 and lan2 are the accommodated interfaces, and bridge1 is the accommodating bridge interface.

By bridging the accommodated interfaces, the individual connected accommodated interfaces become a single segment. The output destination of packets received at an accommodated interface is determined according to the bridge interface settings and destination MAC address, and output is from the determined accommodated interface. Through the application of various filters in this process, a transparency firewall is achieved. Note that for LAN1 with a switching hub, filters are not applied between each of the ports. Filters are applied only to communications that go beyond the boundaries of the accommodated interface.

Filter Processing

Filters are applied alike for both L3 and transparency types. Thus, the processing steps for filters are almost the same for the transparency or L3 types.

Filter Processing Steps

Ethernet Filter, Intrusion Detection, Inbound Filter, and URL Filter are filters processed at the interface level. Thus, even for the Transparency type, you can do the settings at the interface level for sending and receiving packets just as for the L3 type.

On the other hand, a Policy Filter is a filter processed at the connection level. To do filtering at the connection level, you need to determine an output destination for packets coming inbound. For this reason, the processing carried out just ahead of a Policy Filter differs between the L3 and Transparency types. In a L3 firewall, the processing ahead of the Policy Filter is routing, but for the Transparency type it’s bridging.

Such a difference equals the difference between the IP layer address referenced and the datalink layer address referenced when determining the interface at the output destination, and as for the point of the inbound and outbound interface viewed from the Policy Filter, it’s unnecessary to be aware of which address is being used for determination of the outbound destination.

Thus, when you define policy for a policy filter, in any event you can identify the connection by designating the actual interface that really receives and sends packets.

For details on Bridge Interfaces and various filters, refer to Related Documents.

Transparency Firewall Settings

Setting a Transparency Firewall is done in the following steps.

  1. Bridge Interface Settings
  2. Filter Settings
    1. Filter Settings for Accommodated Interfaces
    2. Connection Level Filter Settings

Only the bridge interface settings differ for L3 firewalls. You can set filter settings in the same way as for L3 firewalls.

So, we will describe Transparency Firewall settings assuming specific situations. Let’s look at installing a Transparency Firewall between a WAN (Internet) side router (192.168.100.1) and an L2 switch.

lan2 will be connected to the router side and lan1 will be connected to the L2 switch side.

Bridge Interface Settings

First, set up the Bridge Interface. To bridge lan1 and lan2 set as per the following.

# bridge member bridge1 lan1 lan2 

Here lan1 and lan2 will be set as the accommodated interfaces and accommodated by the bridge interface called bridge1.

If you need to send and receive packets at your own point from lan1 or lan2, set the IP address in the bridge interface.

# ip bridge1 address 192.168.100.100/24 

Because lan1 and lan2 are accommodated by bridge1, each physically connected segment will become a 168.100.0/24 network.

Meanwhile, when the address of the Default Gateway and DNS server is 192.168.100.1, set the default route and DNS server as follows.

# ip route default gateway 192.168.100.1
# dns server 192.168.100.1 

Filter Settings for Accommodated Interfaces

Various filters are set at the interface level, with the exception of a policy filter. This is the same regardless of whether the type is L3 or Transparency.

To set up a Transparency Firewall, these filters are set for each accommodated interface. Here we will apply filters to lan1 and lan2.

Ethernet Filter

To do bridging at the Ethernet level, use an Ethernet Filter. In this case, because lan1 is connected to an L2 switch, an Ethernet filter is applied to lan1.

For instance, set as follows to discard packets addressed to hosts other than on MAC address 00:a0:de:01:02:03.

# ethernet filter 1 pass-nolog 00:a0:de:01:02:03
# ethernet filter 100 reject-log *
# ethernet lan1 filter in 1 100 

Inbound Filter

If you want to discard packets received by an accommodated interface early, you can use an Inbound Filter. An inbound filter is an IP layer filter and you can use it to do bridging based on such things as the IP address of a received packet.

For instance, so that packets relating to Windows File Sharing can never be sent from the router side, you can set the following inbound filter on lan2.

# ip lan2 inbound filter list 1001 1002 1003 1004 1005 1006 1100
# ip inbound filter 1001 reject-nolog * * tcp,udp * 135
# ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
# ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
# ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
# ip inbound filter 1005 reject-nolog * * tcp,udp * 445
# ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
# ip inbound filter 1100 pass-nolog * * * * * 

Intrusion Detection

Just like with an inbound filter, to run the Intrusion Detection, a typical means is to enable the intrusion detection on lan2, an accommodated interface on the router side.

For example,set as follows to detect attacks on ICMP.

# ip lan2 intrusion detection in on
# ip lan2 intrusion detection in icmp on reject=off
# ip lan2 intrusion detection in default off 

URL Filter

URL filters with Internal DB are also the same as for the intrusion detection.

For example, to reject access to www.example.com, set the following URL filter with internal DB on lan2.

# url filter 1 reject www.example.com
# url filter 100 pass *
# url lan2 filter out 1 100 

Connection Level Filter Settings

Policy Filter

A Policy Filter, is a stateful inspection filter, and it’s a filter that’s set at the connection level. When used with a Transparency Firewall, just as with a L3 Firewall, you can filter bridged packets with stateful inspection filtering based on policies.

If you want to designate a receiving interface or a sending interface for a bridged connection, designate an accommodated interface.

For example, if you want to discard Telnet connections from the WAN side, set policy as follows with the receiving interface on lan2 and the sending interface on lan1.

# ip policy filter 1000 reject-nolog lan2 lan1 * * telnet 

Related Documents

Return to Top