Manuals / Compatible Systems / Computer Equipment / Network Router

Compatible Systems 5.4 manual TCP/IP Packet Filter Rules, IP Route Filter Rule Notification

Models: 5.4

1 313
Download 313 pages 60.17 Kb
Page 194
Image 194

188

Chapter 11 - TCP/IP Filtering

 

 

IP Route Filter Rule Notification

Filter rule matches can optionally cause a log message to be sent. By default, no logging of matches is performed. See the section on the Logging Config- uration Dialog Box of this manual for more information.

log The log option causes the device to log data about the packet to syslog when the condition of the rule is met.

IP Route Filter Rule Examples

The following example specifies a rule to allow routes to be input only from RIP and only from 198.41.11.1.

permit 0.0.0.0 in via rip from 198.41.11.1

The rule below specifies that routing information should only be sent which originates from RIP, directly connected routes, and static routes.

permit 0.0.0.0 out origin rip direct static

TCP/IP Packet Filter Rules

ϖNote: Due to the nature of the IP protocol, IP packet filtering can be quite complicated. If you are attempting to design and implement a comprehensive set of filters, or an Internet Firewall, there are a number of references you should consult. Two good starting points are: Building Internet Firewalls, by D. Brent Chapman and Elizabeth D. Zwicky, O’Reilly & Associates, 1995, and Firewalls and Internet Security, by William R. Cheswick and Steven M. Bellovin, Addison-Wesley Publishing Company, 1994.

To access a filter editor window for TCP/IP packet filters, open the Main TCP/IP Filtering Dialog Box (under Global/Filtering/TCP/IP Filtering) and then select the Packet Filters button.

Packet filtering rules are selected for individual device interfaces. Whether they are used as input filters, output filters, or both, depends on which pull- down is used to select them in the TCP/IP Filtering Dialog Box for a partic- ular interface.

A device does not reorder rule sets as they have been specified before they are applied. They are applied in the order they were written. When multiple filter sets are selected with CompatiView, the filter sets will be concatenated in the device from first to last (top to bottom on screen).

Any IP packet not explicitly allowed by the rules will be filtered. To allow all other packets not filtered, the last rule must be:

permit 0.0.0.0 0.0.0.0 ip

Page 193 Page 195
Page 194
Image 194
Compatible Systems 5.4 manual TCP/IP Packet Filter Rules, IP Route Filter Rule Notification, IP Route Filter Rule Examples
Page 193 Page 195