APPENDIX G IP FILTER EXAMPLES
If IP filtering is active then all packets received are checked against the filter table before processing by the Router. Packets are also compared to the IP Filter Table when the IP Filter is set to Bridge.
The IP Filter can have 32 lines or entries. An entry does not initially become active until the user exits the menu. Future amendments are acted upon immediately after entry.
It should be noted that the filter table is sequentially searched for any IP packet received until a match is found. A filter table with many entries can impose significant processor loading and a leads to increased latency.
The filter table is made up of three elements:
1.Source and destination IP address.
2.Protocol selection
3.Port or socket selection for TCP and UDP packets.
Each section supports a ‘wildcard’ for a match e.g. to pass only TCP packets you would wildcard the source and destination IP address and wildcard the port numbers.
Each line in the filter table can be configured to PASS or FAIL. By default this value is FAIL. Normal operation would put a number of entries in the filter table that would pass packets if a match occurs. It is possible to use the reverse and define each line so that a match results in failure. You could then enter a last line with wildcards in all three sections to pass.
G.1 Source and Destination IP Address
Each filter table entry consists of an IP address and a mask. The IP address in the packet is combined with the mask and compared with the entry in the table. If the result matches then processing continues along the line. If the result fails then the same operation is performed against the next line entry.
Masks are displayed in hexadecimal format for ease of bit identification. Values can be entered in the normal decimal dot notation or as a single hex number e.g. 255.128.0.0 or FF800000. Any value or order of bits can be entered as the mask. A mask of FFCF0040 is a valid mask.
Echo LANlink Router Option User Manual | Issue 1.0 04 December 1997 Page 52 of 59 |