194 | Chapter 11 - TCP/IP Filtering |
|
|
ϖNote: If VPN tunneling with authentication is enabled on an interface to which an IP filter is applied, then the filter must specifically permit AH packets.
•ESP
This modifier allows filtering on ESP (Encapsulating Security Payload) packets. ESP is used for encryption of tunneled packets across the Internet.
ϖNote: If VPN tunneling with encryption only (i.e. no authentication) is enabled on an interface to which an IP filter is applied, then the filter must specifically permit ESP packets.
•OSPF
This modifier allows filtering on OSPF (Open Shortest Path First) packets. OSPF IP packets carry OSPF routing data.
•proto <operator> <protocol number>
This modifier allows general filtering of IP protocol numbers that don’t have established keywords as specified above. The rule also allows an expression to be specified which allows filtering on ranges of protocol numbers (i.e. proto > 51).
IP Packet Filter Rule Notification
There are two notification actions which the device can take when a packet matches a particular rule. By default, no logging or notification of matches is performed.
•log The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the section on the Logging Configuration Dialog Box of this manual for more information.
•icmp The icmp option is valid only on a deny rule and directs the device to return an ICMP notification to the source of the matching packet.
Simple IP Packet Filter Rule Examples
This rule allows TCP packets with a source port greater than or equal to 1024 and a destination port of 25 (SMTP mail):
permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25
A rule to allow UDP packets with a source port greater than 910 and a desti- nation port of 53 (Domain Name Service) would look like:
permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53
A rule to deny ICMP echo request (pings) would look like:
deny 0.0.0.0 0.0.0.0 ICMP type = 8
