Configuring Your Stateful FirewallMay 10, 2017 · The source address is the IP address of the incoming packet. The source address is used for an inbound rule. To specify a source

May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement.

AT&T Dedicated Internet on Demand

Configuring Your Stateful Firewall

For AT&T Dedicated Internet (formerly known as Managed Internet Service) on Demand

AT&T provides a default stateful firewall from Brocade Communications Systems that’s designed to meet the security needs of most users. When you order a new Internet connection from AT&T, the firewall is automatically included, but there is no option to configure it during the order process. Instead, you’ll see a notice saying that you can configure your firewall setting after you submit your order.

Figure 1 Stateful firewall notice

About Stateful Firewall

A stateful firewall is an efficient way to inspect network packets because it keeps track of the state of network connections and enables faster data transfer between established secure connections. The firewall maintains a dynamic state table that keeps a record of the network connection made and data about the incoming and outgoing packets for the connection. The stored connection and packet data provide a context for all packets coming through the connection. The firewall checks incoming packets against the dynamic state table so that data from established secure connections can move through the firewall more quickly. The stateful firewall makes its most intensive inspection when a new network connection is made. The packets for the new connection are screened using the firewall’s security policy and data is added to the dynamic state table. Once the connection is in an established state, further packets for the connection are allowed to pass through.

Administrator Firewall Rules In addition to the default security policy of the stateful firewall, you can define firewall rules for specific connections.

Inbound rules permit or deny connections that match the parameters in the rule. For example, you

could define a rule to deny traffic from a specific network or to permit traffic of only a specific transfer

protocol.

May 10, 2017 © 2017 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. AT&T Proprietary (Internal Use Only). Not for use or disclosure outside the AT&T companies except under written agreement. Page 2

Firewall Guide

AT&T Business Division Name or AT&T Product or Offering Name

Outbound rules permit or deny connections that match the parameters in the rule; for example, to

specified destination IP addresses. By default, outbound traffic is always permitted. You need to set up a

specific rule to prevent it.

When you configure your firewall, you can do the following for IPv4, IPv6, and MAC addresses:

Add firewall rules

Move firewall rules up or down in the rule hierarchy

Delete firewall rules

Important: Configuring firewall rules is for advanced users. Incorrectly configuring a firewall rule can severely affect your network traffic by denying connections you want to permit or permitting connections you want to deny.

Accessing the Configuration Environment

To configure your firewall, you’ll need to access an environment outside of AT&T Business Center.

1. Open https://www.att.com/ebiz/sdnom and enter your AT&T Business Center user ID and password. An

inventory screen appears.

2. On the inventory page, next to the site you want, click the expand icon ( ).

3. Find the Internet connection you want, click the gear icon ( ), and then, from the menu, select

Configure Firewall.

Figure 2 Select Configure Firewall

The Firewall Management environment opens in a new browser window.

https://www.att.com/ebiz/sdnom


Firewall Guide


Figure 3 Firewall Management environment

Configuring LAN or WAN Rules You can set up configure three types of rules for the firewall: Rules that apply to a local area network (LAN), rules that apply to a wide area network (WAN), and rules that apply to a specific media access control (MAC) address. For LAN and WAN rules, you can specify rules for IPv4 and IPv6.

Adding a New LAN or WAN Rule

The process for adding a filter rule for a LAN or a WAN is the same. The settings are identical for IPv4 and IPv6, except for the format of the IP addresses and the internet mask. To add a new rule:

1. Select the IPv4 Filters tab or the IPv6 Filters tab. 2. Under LAN Rules or WAN Rules, click Add Rule.


Firewall Guide


Figure 4 Add a LAN rule

Figure 5 Add a WAN rule

A new line appears in the list of rules.

Specifying the Action for the Rule

The action for a firewall rule will be either to permit or deny a packet that matches the parameters of the firewall rule. The firewall parses the rule and applies the action if all the parameters match.

1. Double-click the line in the Action column.


Firewall Guide


2. From the list, select the action for the rule.

Figure 6 Select action type

Specifying the Source Address

The source address is the IP address of the incoming packet. The source address is used for an inbound rule. To specify a source address:

1. Double-click the line in the Src address column.

2. Enter the IP address for the source host. For IPv4, the address must be four blocks of numeric values

between 0 and 255.

Figure 7 Add IPv4 source address


Firewall Guide


For IPv6, the address must be correctly formed as eight 16-bit hexadecimal blocks separated by colons

(:) or as a collapsed address with consecutive blocks of zeros indicated by consecutive colons (::).

Figure 8 Add IPv6 source address

The configuration tool validates whether the IPv4 and IPv6 addresses are correctly formatted and displays an error message if the formatting is wrong.

Specifying the Source Mask

The source mask indicates which mask is applied to the source address. By providing a source mask, you can apply to firewall rule to an entire subnet. To specify a source mask for an IPv4 address:

1. Double-click the line in the Src mask column.

2. Type the subnet prefix value as a number between 16 and 32.

Figure 9 Add and IPv4 source mask

The configuration tool validates the prefix you enter and displays an error message if the value is

outside the 16 to 32 range.


Firewall Guide


To specify a source mask for an IPv6 address:

1. Double-click the line in the Src mask column.

2. From the list, select the subnet prefix you want.

Figure 10 Add IPv6 source mask

There is no validation error possible for an IPv6 mask because the entry is restricted to the values in the drop-down list.

Specifying a Source Port

The value in the Src port column indicates the port number for the source port and its associated protocol type. The values available for IPv4 and IPv6 are shown in the following table.

Port Number Protocol

20 File Transfer Protocol (Data)

21 File Transport Protocol (Control)

22 SSH – Secure Shell

23 Telnet

25 Simple Mail Transport Protocol (SMTP)

53 Domain Name System (DNS)

69 Trivial File Transfer Protocol (TFTP)

80 World Wide Web (HTTP)

110 Post Office Protocol v3 (POP3)


Firewall Guide


143 Internet Message Access Protocol v4 (IMAP4)

443 HTTPS – Hypertext Transfer Protocol over TLS/SSL

465 Simple Mail Transfer Protocol o/SSL (SMTP SSL) – Transport Layer Security/Secure

Socket Layer

587 SMTP Submission – Email submission

993 IMAP4 Protocol over TLS/SSL

995 POP3

8008 CalDAV & CardDAV (HTTP Alternative)

8443 CalDAV (PCsnc HTTPS)

Table 1 Port numbers and protocols

To specify a source port:

1. Double-click the line in the Src port column.

2. From the list, select a port number/protocol.

If you leave the Src port value empty, the rule applies to traffic from any port type.

Figure 11 Specify a source port

Adding a Destination Address, Mask, and Port For an outbound rule, you can specify a destination address, destination mask, and destination port the same way that you specify a source address, source mask, and source port. The values define the connection the same way as for an inbound rule, but serve to specifically permit or deny outgoing traffic to the defined address, subnet, or port.


Firewall Guide


To specify a destination address:

1. Double-click the line in the Dst address column.

2. Enter the IP address for the destination host.

For IPv4, the address must be four blocks of numeric values between 0 and 255.

For IPv6, the address must be correctly formed as eight 16-bit hexadecimal blocks separated by

colons (:) or as a collapsed address with consecutive blocks of zeros indicated by consecutive

colons (::).

To specify a destination mask for an IPv4 address:

1. Double-click the line in the Dst mask column.

2. Type the subnet prefix value as a number between 16 and 32.

To specify a destination mask for an IPv6 address:

1. Double-click the line in the Dst mask column.

2. From the list, select the subnet prefix you want.

To specify a destination port:

1. Double-click the line in the Dst port column.

2. From the list, select a port number/protocol.

If you leave the Dst port value empty, the rule applies to traffic from any port type.

Specifying a Protocol Type

The Protocol field is where you specify the protocol type for the packet being received or sent. If you specify a protocol type, only traffic that matches that type is affected by the rule. The Protocol value applies to inbound or outbound rules. The available values are shown in the following table.

Protocol Number Protocol

1 ICMP – Internet Control Message Protocol

6 TCP – Transmission Control Protocol

17 UDP – User Datagram Protocol

Table 2 Protocol numbers

To specify a protocol type:

1. Double-click the line in the Protocol column.

2. From the list, select the protocol type you want.

If you leave the Protocol field empty, any protocol type matches the rule.


Firewall Guide


Figure 12 Select protocol type

Specifying an ICMP Type The ICMP Type field is where you specify the Internet Control Message Protocol (ICMP) type used for sending error messages for connection issues. ICMP is an IP protocol, but unlike TCP and UDP, ICMP was intended as a troubleshooting mechanism for the Internet Protocol (IP). Typically, you would specify an ICMP type in a Deny action rule for inbound traffic in order to block specific error messages or troubleshooting traffic from your network. The values available are shown in the following table.

Type Name

0 Echo Reply – ping response

3 Destination Unreachable

8 Echo – ping request

11 Time Exceeded

Table 3 ICMP types

To specify an ICMP type:

1. Double-click the line in the ICMP Type column.

2. From the list, select the ICMP type you want.

If you want to specify more than one ICMP type, you need to configure multiple rules.


Firewall Guide


Figure 13 Select ICMP type

Putting the Rule Together A firewall rule must have at least one parameter besides the action. When the firewall applies the rule, it reads from left to right and looks for a match at each specified parameter. If all parameters in the rule apply to the inbound or outbound packet, the firewall applies the action. If any parameter does not match, the rule is not applied. It’s unlikely that a single rule will address all situations, so it’s a best practice not to try to define too much. If you configure an overly complicated rule, you may end up with it not being applied because the bar is set to high. Instead, you’ll get better results defining multiple simple rules. Typically, you’ll need to configure multiple rules because each rule can hold only one value for each parameter. For example, if you want to deny inbound ICMP traffic for echo and echo reply pings, you’d need to configure one rule with a deny action for the Echo Reply ICMP type and another one for the Echo ICMP type. You don’t need any other parameters.

Configuring MAC Filters

A Media Access Control (MAC) address identifies a network card for a device, such as a router or switch. A MAC filter in your firewall allows you to simply permit or deny inboard or outboard traffic to a specific MAC address. There are no other parameters other than the action and the address. To add a MAC filter:

1. Select the MAC Filters tab.

2. Under LAN Rules, click Add Rule.


Firewall Guide


Figure 14 Add a MAC filter rule

To specify the action for the MAC filter:

1. Double-click the line in the Action column.

2. From the list, select the action for the rule.

Figure 15 Specify action for MAC filter

To specify a MAC address:

1. Double-click the line in the MAC Address column.

2. Enter the MAC address. A MAC address is a 48-bit address in six two character hexadecimal blocks

separated by colons (:). The configuration tool validates for the proper format and displays an error

message if the format is wrong.


Firewall Guide


Figure 16 Specify a MAC address

Ordering Firewall Rules

When a packet arrives at the firewall, the firewall applies the rules in order from the top to bottom of the list. If a packet matches the parameters in the first rule in the list, the firewall takes the action specified and permits the packet to go through the firewall or denies it. If the packet doesn’t match the first rule, the firewall checks it against the second rule and so on. Whenever a packet matches a rule, the action is taken. If a packet matches none of the rules, it’s denied by default. The order of the rules is important because as soon as a match is made, the action in the rule is taken by the firewall and no other rules are checked. Because of this it’s important to place the most restrictive rules first. For example, if you want to specifically allow all HTTP traffic except for traffic from a specified subnet, you would create two rules in the following order:

A rule with a deny action with the Src address and Src mask values for the subnet you want to deny.

A rule with a permit action and 80-World Wide Web (HTTP) specified for the Src port value.

Any packets that don’t match the first rule are checked against the second rule, so any traffic that is not from the specified subnet gets checked to see if it’s in the HTTP port and then permitted through the firewall. If you specified the second rule first, any HTTP traffic from the subnet would be passed through the firewall because the first rule applies to it. To move a rule up:

1. In the list of rules, click the rule you want to move.

2. On the menu, click Move Rule Up. The rule moves up one line each time you click.


Firewall Guide


Figure 17 Move a rule up

To move a rule down:

1. In the list of rules, click the rule you want to move.

2. On the menu, click Move Rule Down. The rule moves down one line each time you click.

Figure 18 Move a rule down

Editing Firewall Rules

You can edit any existing firewall rule or MAC filter. The edit can be to change any parameter, remove a parameter, change the action, etc. To change a firewall rule parameter:

1. Double-click the value in the firewall rule that you want to change.

2. Enter the new value or, if the value is from a list, select a new value from the list.


Firewall Guide


Figure 19 Change a rule parameter

To delete a firewall rule parameter:

1. Double-click the value in the firewall rule that you want to change.

2. Clear the value or, if the value is from a list, select the blank item at the top of the list.

Figure 20 Select the empty line in the list

Deleting Firewall Rules

When a firewall rule or MAC filter is no longer needed, you can delete it. Be careful when deleting firewall rules that you don’t create an issue with the order in which rules are applied. To delete a firewall rule:

1. In the list of rules, click the rule you want to delete.

2. On the menu, click Delete Rule.


Firewall Guide


Figure 21 Delete a rule

Saving the Firewall Rules

At any time after you make a change or addition to your firewall configuration, you can save your changes. To save your firewall changes:

At the bottom left of the firewall configuration window, click Save.

Figure 22 Save the firewall rules

Closing the Configuration Environment

After you complete and save all changes or additions for your firewall configuration, you can exit the configuration environment. To exit the firewall configuration environment:

At the bottom left of the firewall configuration window, click Close.


Firewall Guide


Figure 23 Close the configuration environment

Documents

Configuring Your Stateful FirewallMay 10, 2017 · The source address is the IP address of the incoming packet. The source address is used for an inbound rule. To specify a source