You want to configure a ScreenOS policy that drops a packet and returns a notification to the source.
Figure 7-3 shows the
Internal_fw gateway and its interfaces in the context of an inter-zone firewall policy that rejects any traffic initiated from the Andromeda server to the Orion host.
Figure 7-3. "Reject" policy configuration
The reject policy, thus, is configured as follows:
set policy from Secure_Servers to Trust Andromeda Orion
any reject log
Although the more commonly used ScreenOS deny policy drops unwanted traffic without notifying the source, using the reject action instead of deny returns a TCP Reset response to the source for TCP connection requests and an ICMP Destination Unreachable response back for UDP connection requests. Thus, a reject policy introduces an additional step for the ScreenOS gateway in having to respond back to unwanted packets instead of silently dropping them.
In the solution to this recipe, if Andromeda (
192.168.1.30) initiates a Telnet session to Orion (
Internal_fw ScreenOS gateway rejects the packets and returns a TCP packet to Orion with the
RST flag set. A
debug flow basic debug capture of this transaction is as follows:
debug flow basicInternal_fw->
get dbuf stream**** 13542.0: <Secure_Servers/ethernet0/0> packet received **** ipid = 62612(f494), ...