Chapter Nine: Advanced Installations | IP filters 132 |
|
|
•any well known: Applies the filter to any protocol using TCP or UDP ports in the range 0 to 1023. See RFC 1700 for the complete list of protocols.
•UNIX: Applies the filter to any protocol using TCP or UDP ports in the range 512 to 1023. See RFC 1700 for the complete list of protocols.
•TCP: Many protocols (such as HTTP, FTP, Telnet, News) make use of TCP. If you filter all TCP traffic you will prevent the use of these protocols. Note that access to the web configuration interface occurs via HTTP and access to the command line interface (CLI) occurs via Telnet.
•UDP: Many protocols (such as SNMP, Time, TFTP, BOOTP) make use of UDP. If you filter all UDP traffic, you will prevent the use of these protocols.
•FTP: Applies the filter to all datagrams containing the file transfer protocol.
•Web (HTTP): If you filter all HTTP traffic, you may not be able to reach the web configuration interface. Filtering outgoing HTTP traffic can be used to prevent users from browsing on the Internet.
•Mail (SMTP): Applies the filter to all datagrams containing the mail (SMTP) protocol.
•Mail (POP3): Applies the filter to all datagrams containing the mail (POP3) protocol.
•Telnet: If you filter all Telnet traffic, you will not be able to reach the command line interface (CLI).
•TFTP: The DIVA LAN ISDN Modem can function as a TFTP server to support uploading and downloading of configuration files. If you filter TFTP traffic, you will not be able to use this feature.
•DNS: Domain name system. Filtering DNS datagrams can cause disruptions in the ability to access remote sites.
The following options are also available: NFS/RPC, News, Time (NTP), BOOTP, SNMP, ICMP, Ping (ICMP), Ping Reply, ICMP Redir. For a description of these protocols, consult the appropriate RFC at the site www.faqs.org.
8.Activate the filter by clicking the box that appears to the right of the EDIT button.
9.Click Save. This makes the filter operational.
Note Unlike other configurations settings, you do not have to reset the DIVA LAN ISDN Modem to make filters operational.
IP filtering examples
The examples in this section illustrate how to use filters to:
•Dropping incoming traffic from a specific network
•Allowing incoming traffic only from a specific network
•Blocking web surfing
Note These examples assume that you have not enabled remote management. If enabled, the default filter stack you see will only contain the single filter: “Forward all datagrams being sent from anywhere that contain any protocol.“ If no filters are present, the only visible filter will be "Drop All". The "Forward all" filter is active but invisible.
Dropping incoming traffic from a specific network
This example defines a filter to make sure that no traffic is accepted from a specific network. Assume the network has the IP address 213.112.12.0.
Since the filter is applied against data from the Internet, it is defined for the ISP profile. Place this filter in the third position in the stack.