6-32CHAPTER 6: MANUAL SETUP

IP:

1ACCEPT src-addr = 192.77.200.203/16;

999DENY;

The following rule example rejects IP packets with a source address: 144.133.20.1.

IP:

1 REJECT src-addr =144.133.20.1;

The following rule example allows forwarding of only IP packets with source address 192.77.100.32 and destination address 201.128.11.34:

IP:

1AND src-addr = 192.77.100.32;

2ACCEPT dst-addr = 201.128.11.34;

999DENY;

IP Source and Destination Port Filtering Using CLI

You can also filter against UDP and TCP ports. The following rule example rejects

IP packets with a TCP port number of 80.

IP:

1 REJECT tcp_dst_port = 80;

IP Protocol Filtering Using CLI

Filtering can be done on protocol as well. The protocols that can be filtered are

UDP, TCP and ICMP. The following rule example rejects TCP packets.

IP:

1 REJECT protocol = TCP;

IP RIP Packet Filtering Using CLI

Routing Information Protocol (RIP) packets are used to identify all attached networks as well as the number of router hops required to reach them. The responses are used to update a router's routing table

If the router is listening for, or broadcasting RIP messages, you should allow them to pass in the appropriate direction(s). You define IP RIP filtering rules in the IP-RIP protocol section of the filter file.

For example, if you want to filter all routes except the one specified by the IP network address 195.12.254.45, you would create this rule:

IP-RIP:

1 ACCEPT network = 195.12.254.45;

999 DENY;

This filter only allows the route 195.12.254.45 into the route table. All other routes are rejected.

Spurious RIP messages can disrupt your routing tables. If you are listening for RIP messages on a given interface, you may wish to consider filtering out RIP updates from untrusted networks.

Page 70
Image 70
3Com 812 manual IP Source and Destination Port Filtering Using CLI, IP Protocol Filtering Using CLI