How to define an ipfilter for brocade switch


At this KB, I added some useful commands about how to define an ipfilter for block  TCP (23) telnet requests.

Please check the steps and change it for your configuration.

Step 1: Check  current  configuration

Connect brocade switch over  SSH.

ipfilter --show
Name: default_ipv4, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: default_ipv6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Step 2: Clone current  configuration

# ipfilter --clone BlockPort23 -from default_ipv4
# ipfilter --clone BlockPort23ipv6 -from default_ipv6
# ipfilter --show

Name: default_ipv4, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: default_ipv6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: BlockPort23, Type: ipv4, State: defined (modified)
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: BlockPort23ipv6, Type: ipv6, State: defined (modified)
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Step 3: Modify  cloned  configuration

We  blocked  TCP request for  port 23.

# ipfilter --delrule BlockPort23 -rule 2
# ipfilter --delrule BlockPort23ipv6 -rule 2
# ipfilter --addrule BlockPort23 -rule 2 -sip any -dp 23 -proto tcp -act deny
# ipfilter --addrule BlockPort23ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny
# ipfilter --save BlockPort23
# ipfilter --save BlockPort23ipv6

Step 4: Activate  new  firewall  configuration

# ipfilter --activate BlockPort23
# ipfilter --activate BlockPort23ipv6
i# ipfilter --show

Name: default_ipv4, Type: ipv4, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: default_ipv6, Type: ipv6, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: BlockPort23, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 deny
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

Name: BlockPort23ipv6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 deny
3 any tcp 80 permit
4 any tcp 443 permit
5 any udp 161 permit
6 any udp 123 permit
7 any tcp 600 - 1023 permit
8 any udp 600 - 1023 permit

 

Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me