3Com 812 manual IP Source and Destination Network Filtering Using CLI, Ipx

Generic Filter Rule The syntax for generic filters is slightly different than that for other filters:

<line #> <verb> GENERIC => ORIGIN = <FRAME > DATA>/OFFSET = <# of

bytes>/ LENGTH = <# of bytes>/MASK = < 0x Mask>/VALUE = <0x value>

ORIGIN - The location in the packet to start the offset count. This location can be at byte 0 (FRAME) or at the start of the protocol data (DATA).

OFFSET - The number of bytes from the origin to skip before comparing the value to the packet contents.

LENGTH - The number of bytes in the packet to compare to the value.

MASK - The mask to logically "and" with the packet contents before

￿comparing with the value (hex).

VALUE - The value (hex) to compare to the packet contents.

For example, a generic bridge filter to prevent all IP packets from being bridged is:

BR-ETH:

1reject generic=>origin=frame/offset=12/length=2/mask=0xFFFF/value=0x0800;

Applying the Rules The following sections provide detailed information and examples for creating Using CLI specific filters based on protocol.

IP Source and Destination Network Filtering Using CLI

Source and destination address filtering is generally used to limit permitted access to trusted hosts and networks only, to explicitly deny access to hosts and networks that are not trusted, or to limit external access to a given host (for example, a web server or a firewall).

Note that only the part of the IP address specified by the mask field is used in the comparison. If a match is found, the packet is forwarded (rules containing accept) or discarded (rules containing reject).

The following rule example allows forwarding of only IP packets with source addresses that match the first 16 bits of the given IP address (addresses beginning with 192.77):