Connectrix B-Series Brocade: How can I block, disable, or deny HTTP/Webtools access to a Brocade switch

Summary: To block, disable, or deny HTTP/Webtools access to a Brocade B-series switch, use the IPFilter command.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

To block, disable, or deny HTTP/Webtools access, telnet access to a Brocade B-series for security reasons.  

Here are the steps that are used to create a policy with a rule to deny access by any IP using HTTP port 80.

Note: Since the default policy cannot be changed, you must clone whichever filter set you want to use. In this example, we are using the "default_ipv4" set):
  1. Log in to the switch using SSH or using serial cable.
  2. Create a policy by copying the existing default_ipv4 policy:
ipfilter --clone DenyWebtools -from default_ipv4
  1. Save the new policy:
ipfilter --save DenyWebtools
  1. Verify that the new policy is correct. You should see the new policy:
ipfilter --show
  1. Add a rule to the new policy to deny HTTP access:
ipfilter --addrule DenyWebtools -rule 3 -sip any -dp 80 -prot tcp -act deny

This command, which is broken down by subcommands, does the following:
  • --addrule DenyWebtools: The command adds the rule to the DenyWebtools ruleset.
  • -rule 3: The command adds a rule at the specified rule index number. The rule number must be between 1 and the current maximum rule number plus one. You can also set a rule for a range of ports.
  • -sip any: The command specifies the source IP address. In this example, any IP connecting to this switch has HTTP blocked. 
  • -dp: The command specifies the port number that we are applying this rule to. In this example, the port for HTTP is 80.
  • -proto: The command specifies the protocol type. In this example, the protocol is TCP.
  • -act deny: The command specifies the permit or deny action that is associated with this rule.
  1. Find the permit rule for HTTP (80):
ipfilter --show DenyWentools

Output:
Name: DenyWebtools, Type: ipv4, State: defined (modified)
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp       80     deny   <<< New Rule
4     any                                            tcp       80     permit   <<< Old Rule
5     any                                            tcp      443     permit
6     any                                            udp      161     permit
7     any                                            udp      123     permit
8     any                                            tcp      600 - 1023     permit
9     any                                            udp      600 - 1023     permit
  1. Remove the permit rule for HTTP. This is for cleanup as there are now two HTTP rules as shown above:
ipfilter --delrule DenyWebtools -rule 4
  1. Save it again:
ipfilter --save DenyWebtools
  1. Check the policy again to verify it is correct:
ipfilter --show DenyWebtools

Output:
Name: DenyWebtools, Type: ipv4, State: defined
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp       80     deny   <<< New Rule
4     any                                            tcp       80     permit
5     any                                            tcp      443     permit
6     any                                            udp      161     permit
7     any                                            udp      123     permit
8     any                                            tcp      600 - 1023     permit
9     any                                            udp      600 - 1023     permit
  1. Activate the new policy:
ipfilter --activate DenyWebtools
  1. Check the policy again to verify it is correct, that the policy "DenyWebtools"  is Active: 
ipfilter --show

Output:
Name: DenyWebtools, Type: ipv4, State: active <<<<<<<<<<<<<<<<<< New Policy is "Active"
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp       80       deny
4     any                                            tcp       80     permit
5     any                                            tcp      443     permit
6     any                                            udp      161     permit
7     any                                            udp      123     permit
8     any                                            tcp      600 - 1023     permit
9     any                                            udp      600 - 1023     permit
  1. Open Webtools using a supported browser and try to access the Webtools UI for the switch that has the HTTP disabled which should be denied.
  2. In the switch "errdump" output, you should see that the switch has rejected the access using HTTP.
errdump:
2021/10/06-11:19:28, [SEC-3039], 39764, FID 128, INFO, DS6510B_TT38, Event:Security Violation , Status: failed, Info: Unauthorized host with IP address xx.xx.xx.xx tries to establish connection using TCP port 80.


Here is a list of all the commands that are used above in the order of use:

ipfilter --clone DenyWebtools -from default_ipv4
ipfilter --save DenyWebtools
ipfilter --show
ipfilter --addrule DenyWebtools -rule 3 -sip any -dp 80 -prot tcp -act deny
ipfilter --delrule DenyWebtools -rule 4
ipfilter --save DenyWebtools
ipfilter --show DenyWebtools
ipfilter --activate DenyWebtools
ipfilter --show
errdump

Additional Information

See Brocade Fabric OS Command Reference Manual for additional information about the ipfilter command and its usage.

Please refer to this video:

Affected Products

Brocade, Connectrix B-Series
Article Properties
Article Number: 000192275
Article Type: How To
Last Modified: 13 Dec 2022
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.