188 | Chapter 11 - TCP/IP Filtering |
|
|
IP Route Filter Rule Notification
Filter rule matches can optionally cause a log message to be sent. By default, no logging of matches is performed. See the section on the Logging Config- uration Dialog Box of this manual for more information.
•log The log option causes the device to log data about the packet to syslog when the condition of the rule is met.
IP Route Filter Rule Examples
The following example specifies a rule to allow routes to be input only from RIP and only from 198.41.11.1.
permit 0.0.0.0 in via rip from 198.41.11.1
The rule below specifies that routing information should only be sent which originates from RIP, directly connected routes, and static routes.
permit 0.0.0.0 out origin rip direct static
TCP/IP Packet Filter Rules
ϖNote: Due to the nature of the IP protocol, IP packet filtering can be quite complicated. If you are attempting to design and implement a comprehensive set of filters, or an Internet Firewall, there are a number of references you should consult. Two good starting points are: Building Internet Firewalls, by D. Brent Chapman and Elizabeth D. Zwicky, O’Reilly & Associates, 1995, and Firewalls and Internet Security, by William R. Cheswick and Steven M. Bellovin,
To access a filter editor window for TCP/IP packet filters, open the Main TCP/IP Filtering Dialog Box (under Global/Filtering/TCP/IP Filtering) and then select the Packet Filters button.
Packet filtering rules are selected for individual device interfaces. Whether they are used as input filters, output filters, or both, depends on which pull- down is used to select them in the TCP/IP Filtering Dialog Box for a partic- ular interface.
A device does not reorder rule sets as they have been specified before they are applied. They are applied in the order they were written. When multiple filter sets are selected with CompatiView, the filter sets will be concatenated in the device from first to last (top to bottom on screen).
Any IP packet not explicitly allowed by the rules will be filtered. To allow all other packets not filtered, the last rule must be:
permit 0.0.0.0 0.0.0.0 ip