Creating Filters Using Command Line Interface 6-31
Generic Filter Rule The syntax for generic filters is slightly different than that for other filters:
<line #> <verb> GENERIC => ORIGIN = <F RAME > DATA>/OFFSET = <# of
bytes>/ LENGTH = <# of bytes>/MASK = < 0x Mask>/VALUE = <0x value>
ORIGIN - The location in the packet to start th e offse t count. This location can
be at byte 0 (FRAME) or at the start of the protocol data (DATA).
OFFSET - The number of bytes from the origin to skip before com paring the
value to the packet contents.
LENGTH - The number of bytes in the packet to compare to the value.
MASK - The mask to logically "and" with the packet contents before
comparing with the value (hex).
VALUE - The value (hex) to compare to the packet contents.
For example, a generic bridge filter to prevent all IP packets from being bridged is:
BR-ETH:
1 reject
generic=>origin=frame/o ffset=12/length=2/mask= 0xFFFF/value=0x0800;
Applying the Rules
Using CLI The following sections provide detailed information and examples for creating
specific filters based on protocol.
IP Source and Destination Networ k Filtering Using CLI
Source and destination address filtering is generally used to limit permitted access
to trusted hosts and networks only, to explicitly deny access to hosts and networks
that are not trusted, or to limit external access to a given host ( for ex ample , a web
server or a firewall).
Note that only the part of the IP address specified by the mask field is used in the
comparison. If a match is found, the packet is forwarded (rules conta ining accept)
or discarded (rules containing reject).
The following rule example allows forwarding of only IP packets with source
addresses that match the first 16 bits of the given IP address (addresses beginning
with 192.77):
IPX src-net
dst-net
src-host
dst-host
src-socket
dst-socket
generic
=, !=
=, !=
=, !=
=, !=
all
all
=
Source IPX network (xx-xx-xx-xx)
Destination IPX network (xx-xx-xx-xx)
Source IPX host node address (xx-xx-xx-xx-xx-xx)
Destination IPX host node address (xx-xx-xx-xx-xx-xx)
Source IPX socket (0x1 - 0xFFFF)
Destination IPX socket (0x1 - 0xFFFF)
Generic Filter
IPX-RIP network =, != IPX network (xx-xx-xx-xx)
IPX-SAP network
node
server
service-type
socket
=, !=
=, !=
=, !=
=, !=
all
IPX network (xx-xx-xx-xx)
IPX node (xx-xx-xx-x x-xx-xx)
Server name (character string to 32 characters)
Service type (0x0 - 0xFFFF)
Socket (0x1 - 0xFF FF)
BR-ETH src-addr
dst-addr
generic
=, !=
=, !=
=
Source MAC address (xx-xx-xx-xx-xx-xx)
Destination MAC address (xx-xx-xx-xx-xx-xx)
Generic filter