HPE Community
Comware Based
1830623 Members
2342 Online
110015 Solutions
New Discussion

Comware 7 - How to configure firewall to allow all outgoing traffic?

 
SOLVED
Go to solution
Rich12
Occasional Visitor

‎10-30-2020 04:31 AM - edited ‎11-02-2020 01:33 AM

‎10-30-2020 04:31 AM - edited ‎11-02-2020 01:33 AM

Comware 7 - How to configure firewall to allow all outgoing traffic?

I want to configure my MSR3012 router to allow all outgoing traffic to the Internet, but block all incoming traffic.

Once I block incoming traffic, returning packets from outgoing connections are blocked as well.  I can use a ACL "established" rule to allow return packets from outgoing TCP connections. How do I do the same for UDP?

1 person had this problem.
0 Kudos
2 REPLIES 2
Ivan_B
HPE Pro

‎11-02-2020 05:39 AM

‎11-02-2020 05:39 AM

Solution

Re: Comware 7 - How to configure firewall to allow all outgoing traffic?

Hi @Rich12 !

You are right, 'established' keyword won't help you for UDP traffic as this doesn't have any session information in its header. What you need to use is ASPF policy that will inspect your traffic in outgoing direction of WAN interface. All MSR routers have connection tracking feature (enabled by default, cannot be disabled) that tracks all sessions through the router - TCP or UDP, it doesn't matter. ASPF policy, even an empty one has transport layer protocol inspection to track TCP and UDP sessions:

The transport layer protocol inspection refers to generic TCP/UDP inspection. It creates session entries to record the transport layer information of the packets to dynamically filter TCP and UDP packets. The transport layer information includes source and destination addresses and port numbers.
Generic TCP/UDP inspection requires that return packets must match the corresponding packets that are previously sent out of the external interface. The return packets must have the same source/destination addresses and  source/destination port numbers as the outgoing packets (but reversed). Otherwise, the return packets are blocked. For multichannel application layer protocols like FTP, the deployment of TCP inspection without application layer inspection leads to failure of establishing a data connection.

Taking this information into account, you need to create an ASPF policy that will  provide generic TCP/UDP as well as ICMP inspection:

system-view
#
# Let's configure a basic ASPF policy that will track TCP, UDP and ICMP traffic initiated from your LAN:
#
aspf-policy 1
 detect tcp
 detect udp
 detect icmp
#
# Now let's configure an ACL that will drop all unsolicited inbound traffic:
#
acl advanced 3111
 rule 10 deny ip
# 
# Apply ASPF policy on your Internet-facing port in outbound direction. Blocking ACL will be applied in inbound direction:
#
interface <your WAN port>
 aspf apply policy 1 outbound
 packet-filter 3111 inbound

 

This should help you to achieve your desired configuration.

 

I am an HPE employee

Accept or Kudo

0 Kudos
Rich12
Occasional Visitor

‎11-08-2020 10:46 PM - edited ‎11-08-2020 10:46 PM

‎11-08-2020 10:46 PM - edited ‎11-08-2020 10:46 PM

Re: Comware 7 - How to configure firewall to allow all outgoing traffic?

Sorry for the late reply, I was out of the office last week.

Thanks, your solution works.

Unfotunately, the Comware 7 Security Configuration Guide is in contradiction to your solution. which is why I missed it. Same thing with Security Command Referenceaspf.png.

 

The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.