The Configuration Tree Functions | Firewall Configuration - Page 61 |
Match Data: The required resultant value of the Match Mask calculation below. Note that the system pads the field with zeroes.
Match Mask: This is a byte pattern that is logically ANDed with the data filtered from the packet. The result is compared against the contents of the Match Data field.
Direction: This is the direction in which a session may be started if the filter finds a match:
– | Drop | - no session permitted | |
– | In | - | allow new sessions to be started from outside the local subnet only |
– | Out | - | allow sessions to be started only from the local subnet |
– Bothway - allow sessions either way.
Note that the Monitor program can be used to identify which packets are being blocked by the Firewall.
Examples
Note: All TCP/UDP applications are assigned an individual “port” number, used to identify the type of service one system is requesting from another. The Internet Assigned Numbers Authority publishes a list of these.
1.To access a web page that uses TCP Port 8000 instead of the more usual Port 80, use the following:
–IP Protocol = 6 (TCP)
–Match Offset = 22
–Match Length = 2
–Match Data = 1F40 (8000 in hex)
–Match Mask = FFFF (FFFF.AND.filtered data = 1F40)
–Direction = Out
–Notes = Port 8000 Out
2.To allow all ports out (this also solves the problem in Example 1 but risks the making of unintentional data calls):
–IP Protocol = 6 (TCP)
–Match Offset = 0
–Match Length = 0
–Match Data = 0
–Match Mask = 0
–Direction = Out
–Notes = All TCP Ports Out
3.To avoid Windows95 calling your ISP’s DNS to resolve local names:
–IP Protocol = 17 (UDP)
–Match Offset = 20
–Match Length = 4
–Match Data = 00890035
–Match Mask = FFFFFFFF
–Direction = Drop
–Notes = Drop NetBIOS to DNS
INDeX IPNC Cassette Administration Manual | The Configuration Tree Functions - Page 61 |
38DHB0002UKDD – Issue 7 (22/11/02) | Firewall Configuration |