Firewall rule defined in Policy manager may not work as expected for port 8443
Article ID: 389384
Updated On:
Products
Issue/Introduction
Our security control group requires to reject API services on URL which contains the API Gateway hostname i.e. https://<gateway hostname>:8443/<service>.
And only allows the traffic from the a specific server served as a load balancer to send request to the gateway through the port 8443.
|
Rule Name |
Authorized HTTPS Traffic |
|
|
Interface |
All |
|
|
Type |
Filter |
|
|
Packet State |
INPUT |
|
|
General Options |
Protocol |
tcp |
|
Source Address |
<IP address of load balancer server> |
|
|
Destination Address |
<IP address of gateway server> |
|
|
TCP Options |
Destination Port |
8443 |
|
Rule Action |
ACCEPT |
|
|
Rule Name |
Rejected HTTPS Traffic |
|
|
Interface |
All |
|
|
Type |
Filter |
|
|
Packet State |
INPUT |
|
|
General Options |
Protocol |
tcp |
|
Source Address |
|
|
|
Destination Address |
<IP address of gateway> |
|
|
TCP Options |
Destination Port |
8443 |
|
Rule Action |
DROP |
|
However, the rules seem to not work with port 8443.
Environment
Gateway 11.x
Cause
The gateway reserves port 8443 for administration tasks with policy manager. So there are predefined firewall rules to allow traffic to port 8443 and the built-in rules are loaded when the gateway starts. The predefined rules takes priority over the user defined firewall rules, so the rule associated with 8443 may not function as expected.
Resolution
Some possible work arounds:
1. Set up a new port instead of using 8443 with rules
2. Redirect traffic from 8443 to another port internally
3. Use a global fragment like a message-received to check the remote ip/port and drop the request if not from the specified source
Additional Information
/opt/SecureSpan/Appliance/var/firewall
/etc/sysconfig/iptables
Feedback
