O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

7.6. Configure a Reject Policy

Problem

You want to configure a ScreenOS policy that drops a packet and returns a notification to the source.

Solution

Figure 7-3 shows the Internal_fw gateway and its interfaces in the context of an inter-zone firewall policy that rejects any traffic initiated from the Andromeda server to the Orion host.

"Reject" policy configuration

Figure 7-3. "Reject" policy configuration

The reject policy, thus, is configured as follows:

	Internal_fw-> set policy from Secure_Servers to Trust Andromeda Orionany reject log

Discussion

Although the more commonly used ScreenOS deny policy drops unwanted traffic without notifying the source, using the reject action instead of deny returns a TCP Reset response to the source for TCP connection requests and an ICMP Destination Unreachable response back for UDP connection requests. Thus, a reject policy introduces an additional step for the ScreenOS gateway in having to respond back to unwanted packets instead of silently dropping them.

In the solution to this recipe, if Andromeda (192.168.1.30) initiates a Telnet session to Orion (192.168.4.10), the Internal_fw ScreenOS gateway rejects the packets and returns a TCP packet to Orion with the RST flag set. A debug flow basic debug capture of this transaction is as follows:

	Internal_fw-> debug flow basic
	Internal_fw-> get dbuf stream **** 13542.0: <Secure_Servers/ethernet0/0> packet received [48]**** ipid = 62612(f494), ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required