3w

FILTERING IP TRAFFIC

3.1IP Packet Filter Lists

Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces: Ethernet, serial, or WAN, as well as independently to interface direction: IN (packets coming in to the Black Box system) or OUT (packets going out of the Black Box system).

IP packet filtering capability can be used to restrict access to the Black Box system from untrusted, external networks or from specific, internal networks. An example would be a filter that prohibits external users from establishing Telnet sessions to the Black Box system, and allows only specific internal users Telnet access to the system.

„

„

„

At the end of every rule list is an implied “deny all traffic” statement. Therefore, all packets not explicitly permitted by filtering rules, are denied. This effectively means that once you enter a “deny” statement in your filter list, you are implicitly denying all packets from crossing the interface. Therefore, it is important that each filter list contain at least one “permit” statement.

The order in which you enter the filtering rules is important. As the Black Box system is evaluating each packet, the Black Box OS tests the packet against each rule statement sequentially. After a match is found, no more rule statements are checked. For example, if you create a rule statement that explicitly permits all traffic, all traffic is passed since no further rules are checked.

The Black Box OS permits easy re-ordering of filter commands through filter_list insert and delete commands.

3.1.1 Example1

Consider a Black Box connected via a bundle “WAN1” (wan IP address 200.1.1.1) to an ISP, with Ethernet 0 (IP address 222.199.19.3) connected to the internal network. The network administrator wants to completely block Telnet access to the Black Box from all external networks as well as from all internal networks except 222.199.19.0/28. All other TCP/IP traffic, such as FTP, Ping, and HTTP, is to flow unrestricted through the Black Box system.

3.1.1.1Configure the Black Box LR1104A.

Blackbox> configure term Blackbox/configure> ip

Blackbox/configure/ip> filter_list filtera (gives the list a name) Blackbox/configure/ip/filter_list> add deny tcp any 200.1.1.1 dport =23 Blackbox/configure/ip/filter_list> add permit tcp 222.199.19.0/28 222.199.19.3 dport =23 Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.3 dport =23 Blackbox/configure/ip/filter_list> add permit ip any any Blackbox/configure/ip/filter_list> exit

Page 19
Image 19
Black Box LR1102A-T1/E1 manual Filtering IP Traffic, 1IP Packet Filter Lists, Example1, Configure the Black Box LR1104A