This section includes the following topics:
Hosts & Networks
configuration items are symbolic names for IP networks. The configuration
item can be specified either as a host (a single IP address), a network
or as a group of hosts or networks. Hosts & Networks configuration
items are heavily used through a firewall configuration; in routing tables,
rule-set, interface definitions, VPN Tunnels among others.
Using symbolic names has three distinct benefits ?it increases readability, reduces the danger of entering incorrect network addresses, and makes it easier to change IP addresses. By using symbolic names instead of numerical IP addresses, you only need to make changes in a single location, rather than in each configuration section where the address appears.
When a Amaranten Firewall is installed, a number of hosts and networks are automatically generated. For example, each Ethernet interface has an IP address and a broadcast address. These addresses are defined as ip_ifN and br_ifN, where ifN is the name of the interface. A network that is reachable through a direct route, that is, connected directly to a firewall interface, gets defined as ifNnet.
There is also a pre-defined network named all-nets, residing in the Global Namespace. This network is specified with IP network address 0.0.0.0 and netmask 0.0.0.0, and thus includes all the possible addresses on the Internet. all-nets is used, for instance, in the firewall rule-set when specifying that every single IP address should be dropped or allowed.
There are a number of parameters that are common to all Hosts & Networks. These can be found in the first page, named Hosts & Networks, of the Hosts & Networks properties dialog box.
Name ?Specifies the name of the Hosts & Networks item.
Type ?The type, which can be one of:
Host ? This item represents a single IP address.
Network ?This item represents an IP network.
Range ?This item represents a range of IP addresses.
Group? This item is a group of Hosts & Networks items.
The Specification section of the dialog reflects the selected type. The different types are explained in detail in the sections below.
|
In the sample shown to the right, a host named ip_if1 has been defined as IP address 192.168.101.240. Note: The resolve feature is only a simplifying tool offered by the Security Editor. The firewall will not, for security reasons, rely on DNS servers to resolve IP addresses. |
|
CIDR uses a digit (0-32) to denote the size of the network. /24 corresponds to a class C net with 256 addresses (netmask 255.255.255.0), /27 corresponds to a 32 address net (netmask 255.255.255.224). The numbers 0-32 correspond to the number of binary ones in the netmask. In the sample shown to the right, a network named if1net has been defined with a base IP address of 192.168.101.0 and a netmask of 255.255.255.0. Note: Network addresses are specified with the network? base address, not an address that is part of the network such as the IP address of the firewall. |
|
In the sample shown to the right, a range named ip_range has been defined to include IP addresses from 192.168.101.10 to 192.168.101.18. |
|
To create a Hosts & Networks group, first select Group as the service type, and then specify the group members in the second page of the properties dialog box. In the sample shown to the right, a group named Webservers has been created. In this group, the three hosts wwwsrv1, wwwsrv2 and wwwsrv3 have been specified. Now, when this group is used in the firewall rule-set, only one rule is required to match traffic to all three hosts. For more information about how to add and remove group members, please see the section Working with groups. |
For more information about User Authentication read the Enabling User Authentication on network objects in the User Authentication section.
If 
If 
If Range has been selected
as type, the Specifications section is used to specify a range of IP addresses.
The ranges are not limited to netmask boundaries; they may include any
span of IP addresses.
Hosts & Networks items
can be