To block, disable, or deny HTTP/Webtools access, telnet access to a Brocade B-series for security reasons.
Here are the steps that are used to create a policy with a rule to deny access by any IP using HTTP port 80.
Note: Since the default policy cannot be changed, you must clone whichever filter set you want to use. In this example, we are using the "default_ipv4" set):
- Log in to the switch using SSH or using serial cable.
- Create a policy by copying the existing default_ipv4 policy:
ipfilter --clone DenyWebtools -from default_ipv4
- Save the new policy:
ipfilter --save DenyWebtools
- Verify that the new policy is correct. You should see the new policy:
ipfilter --show
- Add a rule to the new policy to deny HTTP access:
ipfilter --addrule DenyWebtools -rule 3 -sip any -dp 80 -prot tcp -act deny
This command, which is broken down by subcommands, does the following:
- --addrule DenyWebtools: The command adds the rule to the DenyWebtools ruleset.
- -rule 3: The command adds a rule at the specified rule index number. The rule number must be between 1 and the current maximum rule number plus one. You can also set a rule for a range of ports.
- -sip any: The command specifies the source IP address. In this example, any IP connecting to this switch has HTTP blocked.
- -dp: The command specifies the port number that we are applying this rule to. In this example, the port for HTTP is 80.
- -proto: The command specifies the protocol type. In this example, the protocol is TCP.
- -act deny: The command specifies the permit or deny action that is associated with this rule.
- Find the permit rule for HTTP (80):
ipfilter --show DenyWentools
Output:
Name: DenyWebtools, Type: ipv4, State: defined (modified)
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 deny <<< New Rule
4 any tcp 80 permit <<< Old Rule
5 any tcp 443 permit
6 any udp 161 permit
7 any udp 123 permit
8 any tcp 600 - 1023 permit
9 any udp 600 - 1023 permit
- Remove the permit rule for HTTP. This is for cleanup as there are now two HTTP rules as shown above:
ipfilter --delrule DenyWebtools -rule 4
- Save it again:
ipfilter --save DenyWebtools
- Check the policy again to verify it is correct:
ipfilter --show DenyWebtools
Output:
Name: DenyWebtools, Type: ipv4, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 deny <<< New Rule
4 any tcp 80 permit
5 any tcp 443 permit
6 any udp 161 permit
7 any udp 123 permit
8 any tcp 600 - 1023 permit
9 any udp 600 - 1023 permit
- Activate the new policy:
ipfilter --activate DenyWebtools
- Check the policy again to verify it is correct, that the policy "DenyWebtools" is Active:
ipfilter --show
Output:
Name: DenyWebtools, Type: ipv4, State: active <<<<<<<<<<<<<<<<<< New Policy is "Active"
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 80 deny
4 any tcp 80 permit
5 any tcp 443 permit
6 any udp 161 permit
7 any udp 123 permit
8 any tcp 600 - 1023 permit
9 any udp 600 - 1023 permit
- Open Webtools using a supported browser and try to access the Webtools UI for the switch that has the HTTP disabled which should be denied.
- In the switch "errdump" output, you should see that the switch has rejected the access using HTTP.
errdump:
2021/10/06-11:19:28, [SEC-3039], 39764, FID 128, INFO, DS6510B_TT38, Event:Security Violation , Status: failed, Info: Unauthorized host with IP address xx.xx.xx.xx tries to establish connection using TCP port 80.
Here is a list of all the commands that are used above in the order of use:
ipfilter --clone DenyWebtools -from default_ipv4
ipfilter --save DenyWebtools
ipfilter --show
ipfilter --addrule DenyWebtools -rule 3 -sip any -dp 80 -prot tcp -act deny
ipfilter --delrule DenyWebtools -rule 4
ipfilter --save DenyWebtools
ipfilter --show DenyWebtools
ipfilter --activate DenyWebtools
ipfilter --show
errdump