Chapter 11 - TCP/IP Filtering

195

 

 

This rule would drop all packets with the source host address 192.15.1.10:

deny 192.15.1.10 0.0.0.0

A rule to drop all packets with a source network address of 192.15.1.0. All packets from hosts on that network would be denied:

deny 192.15.1.0/24 0.0.0.0

IP Packet Filter Rule Set Examples

The rule set below allows only inbound and outbound mail from 192.15.14.1.

The input-filter:

permit 0.0.0.0 192.15.14.1 TCP src >= 1024 dst = 25 permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024

The output-filter:

permit 192.15.14.1 0.0.0.0 TCP src = 25 dst >= 1024 permit 192.15.14.1 0.0.0.0 TCP src >= 1024 dst = 25

These sets of rules are intended to filter out all traffic and only allow incoming and outgoing mail to a server inside a net with an IP address of

192.15.14.1.However they aren’t enough to prevent access from someone outside using source port 25. This is because a connection to destination ports greater than 1024 can be initiated according to the second rule in the input filter. To prevent this from happening, add the est keyword to the second rule in the input filter:

permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024 est

The est keyword in this rule tells the device to only accept TCP packets on the input to this interface when the connection has already been established. A TCP packet which is attempting to initiate a connection will have only the “SYN” flag set. If someone tries to establish a connection from the outside using source port 25, the rule won’t match (no permit will occur). The connection can’t be established since the packet will be dropped by the default rule.

Page 200 Page 202
Page 201
Image 201
Compatible Systems 5.4 manual TCP/IP Filtering 195, IP Packet Filter Rule Set Examples
Page 200 Page 202
Top Page Image Contents