Custom BigFix Firewall Rule

(imported topic written by junyoure91)

Is it possible to block access to the local subnet with a BigFix firewall policy? I know it sounds simple, and I’m pretty sure the rule is right. It’s blocking subnet broadcast traffic; I’m seeing that in the firewall logs, but access to the gateway’s http interface isn’t being blocked. I need to insure a client can only speak through the gateway to other hosts, and cannot speak to anything else on the local subnet.

what could I be missing?

-jr.

(imported comment written by jessewk)

Hi Jr,

Are you setting these rules with the BigFix Firewall product or are you using BigFix to set Windows firewall rules or some other product’s firewall rules?

If it’s BF Firewall, can you post the XML definition of the firewall policy? Otherwise, can you post the action you are using?

Jesse

(imported comment written by junyoure91)

Jessewk,

I’m using the BF Firewall product. Here’s the XML ruleset: NS2 is the one that isn’t working as expected.

<Rule id=“NS1” zone=“2” priority=“low” dir=“in_out” prot=“tcp_udp” locport="

" remport="

" remaddr="

" app="

" account=“both” desc=“Deny All”>

<Rule id=“NS2” zone=“1” priority=“high” dir=“out” prot=“tcp_udp” locport="

" remport="

" remaddr=“10.32.0.1-10.95.255.255” app="*" account=“both” desc=“Deny access to Local LAN and other 10. Networks”>

<Rule id=“NS3” zone=“1” priority=“high” dir=“in” prot=“tcp_udp” locport=“52311” remport="

" remaddr="

" app="*" account=“both” desc=“BigFix In”>

<Rule id=“NS4” zone=“1” priority=“high” dir=“in_out” prot=“tcp_udp” locport="

" remport="

" remaddr=“127.0.0.1” app="*" account=“both” desc=“Loopback Control”>

<Rule id=“NS5” zone=“1” priority=“high” dir=“out” prot=“tcp” locport="

" remport=“80” remaddr="

" app="*" account=“both” desc=“HTTP out”>

<Rule id=“NS6” zone=“1” priority=“high” dir=“out” prot=“tcp_udp” locport="

" remport=“52311” remaddr="

" app="*" account=“both” desc=“BigFix out”>

<Rule id=“NS7” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“21” remport="

" remaddr="

" app="*" account=“both” desc=“FTP in”>

<Rule id=“NS8” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“22” remport="

" remaddr="

" app="*" account=“both” desc=“SSH in”>

<Rule id=“NS9” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“3000” remport="

" remaddr="

" app="*" account=“both” desc=“some service 1”>

<Rule id=“NS10” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“3001” remport="

" remaddr="

" app="*" account=“both” desc=“some service 2”>

<Rule id=“NS11” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“3389” remport="

" remaddr="

" app="*" account=“both” desc=“RDP in”>

<Rule id=“NS12” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“5402” remport="

" remaddr=“172.19.16.1-172.19.16.254” app="

" account=“both” desc=“some service 3”>

<Rule id=“NS13” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“5402” remport="

" remaddr=“172.19.4.1-172.19.4.254” app="

" account=“both” desc=“some service 3”>

<Rule id=“NS14” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“5402” remport="

" remaddr=“192.168.6.1-192.168.6.255” app="

" account=“both” desc=“some service 3”>

<Rule id=“NS15” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“80” remport="

" remaddr="

" app="*" account=“both” desc=“HTTP in”>

<Rule id=“NS16” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“9002” remport="

" remaddr=“172.19.16.1-172.19.16.254” app="

" account=“both” desc=“some service 4”>

<Rule id=“NS17” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“9002” remport="

" remaddr=“172.23.24.1-172.23.24.254” app="

" account=“both” desc=“some service 4”>

<Rule id=“NS18” zone=“1” priority=“low” dir=“in_out” prot=“other” prot_num=“2” remaddr="

" app="

" account=“system” desc=“some service 5”>

<Rule id=“NS19” zone=“1” priority=“low” dir=“in_out” prot=“tcp” locport=“5402” remport="

" remaddr=“172.21.75.1-172.21.75.254” app="

" account=“both” desc=“some service 5”>

<Rule id=“NS20” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="

" remport=“21” remaddr="

" app="*" account=“both” desc=“FTP out”>

<Rule id=“NS21” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="

" remport=“3389” remaddr=“172.23.192.22” app="

" account=“both” desc=“RDP to some server”>

<Rule id=“NS22” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="

" remport=“443” remaddr="

" app="*" account=“both” desc=“HTTPS out”>

<Rule id=“NS23” zone=“1” priority=“low” dir=“out” prot=“udp” locport="

" remport=“53” remaddr="

" app="*" account=“both” desc=“DNS out”>

<Rule id=“NS24” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="

" remport=“38080” remaddr=“172.22.192.16-172.22.192.22” app="

" account=“both” desc=“some service for testing”>

<Rule id=“NS25” zone=“1” priority=“low” dir=“in_out” prot=“tcp” locport="

" remport="

" remaddr="

" app="

" account=“both” desc=“Prevent Everything Else”>

A specific example would be a client at IP:10.32.0.50 should not be able to reach any other IP between 10.32.0.1 and 10.95.255.255. NS2 is blocking packets to 10.32.0.63 (the local subnet broadcast), but not to the web interface of the gateway at 10.32.0.1.

thanks.

-Jr.

(imported comment written by junyoure91)

…I also realize this topic may have been better served in “endpoint protection” but I’m thinking the error is in my authoring. Please forgive me if I posted in the wrong forum.

-Jr.

(imported comment written by junyoure91)

Any ideas? Or is this so obvious that it’s not worth commenting on and I’m the one who’s missing it?

(imported comment written by arnaud91)

Hi junyoure,

I see that rule #5 allows outbound HTTP traffic, with same priority as rule #2. That may be the reason why traffic is allowed to the web interface of your gateway.

You could try to disable this rule and see if firewall behavior changes.

Arnaud

(imported comment written by junyoure91)

thanks. I’ll try that. and reply back.

(imported comment written by junyoure91)

OK, that worked. I chaged rule NS5 to “normal” priority and no the web access is blocked.

So…I’m pretty well versed in firewall logic, but the deployment guide doesn’t do a very good job at explaining how the BF firewall rules are ordered, and the interaction of the priorities, etc. in fact, page 23 (rule sorting) make reference to several things i cannot find. (e.g. label, group, then (*)) I find no other reference to “label” in the document.

In fact, item number 2 on this page:

“Rules are sorted by application int he sequence of label, group, and then All Applications (*). Order within labels is determined alphabetically as is order within groups.”

…makes no sense to me.

What is a label?

I think I understand groups, but how do you tag something as “Preferred” int he rulelist?

What is the alphabetical sorting key in my instance? NS1?..etc.

Finally, is there any other documentation on the BF firewall besides the deployment guide that I may have missed?

again, thanks so much for the fix. It shows my lack of knowledge on this firewall product, and brought me to ask all these questions.

-jr

(imported comment written by junyoure91)

update: is there any better BF firewall documentation out there I have missed?