HPE EVA Storage

ipfilter problem on FabricOS 6.2.0b

 
Sergey Akifiev_1
Frequent Advisor

ipfilter problem on FabricOS 6.2.0b

hi, all.
due to the requirement to block all arbitraty access to our fc-switches we have set up new policy, which denies telnet access.
now, because of mass ip-addresses change, we out to modify that policy. in order not to fiddle with each distinct rule in that policy, i activated default `default_ipv4' policy, dropped custom one, then saved it and tried to activate it. but BANG!

Red_VC_Core:sergey> ipfilter --activate blocktelnet
Specified IP filter policy not found
Red_VC_Core:sergey> ipfilter --show

Name: default_ipv4, Type: ipv4, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 permit
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 - 1023 permit
12 any udp 600 - 1023 permit

Name: default_ipv6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 permit
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 - 1023 permit
12 any udp 600 - 1023 permit

Name: blocktelnet, Type: ipv4, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 23 deny
2 any tcp 897 permit
3 any tcp 898 permit
4 any tcp 111 permit
5 any udp 161 permit
6 any udp 111 permit
7 any udp 123 permit
8 any tcp 600 - 1023 permit
9 any udp 600 - 1023 permit
10 x.x.x.28 tcp 22 permit
11 x.x.x.28 tcp 80 permit
12 x.x.x.28 tcp 443 permit
13 x.x.x.105 tcp 22 permit
14 x.x.x.105 tcp 80 permit
15 x.x.x.105 tcp 443 permit
16 x.x.x.217 tcp 22 permit
17 x.x.x.228 tcp 22 permit
18 x.x.x.70 tcp 22 permit
Red_VC_Core:sergey>


(note, that default policy is also not active for some reason).
it seems though that new policy is active, judging by inability to access switch from old ip addresses.

i was using following procedure:

ipfilter --activate default_ipv4
ipfilter --delete blocktelnet

ipfilter -addrule ...
...
ipfilter -addrule ...

ipfilter --activate blocktelnet
ipfilter --save blocktelnet

what have i done wrong?
1 REPLY 1
qvcc
Advisor

Re: ipfilter problem on FabricOS 6.2.0b

try this:


ipfilter --clone new_ipv4 -from default_ipv4
ipfilter --addrule new_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
ipfilter --delrule new_ipv4 -rule 3
ipfilter --save new_ipv4
ipfilter --activate new_ipv4