157, ﬁltering rule, Parts of a ﬁlter | Netopia 2200 specification

Firewall Tutorial

A ﬁltering rule

The criteria are based on information contained in the packets. A ﬁlter is simply a rule that prescribes certain actions based on certain conditions. For example, the following rule qualiﬁes as a ﬁlter:

“Block all Telnet attempts that originate from the remote host 199.211.211.17.”

This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked.

Here is what this rule looks like when implemented as a ﬁlter in Netopia Firmware Version 7.6:

To understand this particular ﬁl- ter, look at the parts of a ﬁlter.

Parts of a ﬁlter

A ﬁlter consists of criteria based on packet attributes. A typical ﬁl- ter can match a packet on any one of the following attributes:

•The source IP address and subnet mask (where the packet was sent from)

•The destination IP address and subnet mask (where the packet is going)

•The TOS bit setting of the packet. Certain types of IP packets, such as voice or mul- timedia packets, are sensi-

tive to delays introduced by the network. A delay-sensitive packet is identiﬁed by a special low-latency setting called the TOS bit. It is important for such packets to be received rapidly or the quality of service degrades.

•The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP

157

Image 157

Netopia 2200 manual 157, ﬁltering rule, Parts of a ﬁlter

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index What’s New Introduction Intended Audience About Netopia Documentation Documentation Conventions Command Line InterfaceGeneral Internal Web Interface Bold terminal type User-entered text face Word About Example Screens OrganizationPage Basic Mode Setup Power Supply Installation Important Safety Instructions Achtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Microsoft Windows Setting up the Netopia Gateway Then go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway Click the Connect to the Internet button MiAVo Vdsl and Ethernet WAN models Quickstart PPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Open the Web Connection Accessing the Expert Web InterfacePage Home Page Expert Mode Summary Information Home Page InformationField Status and/or Description Dhcp Navigating the Web Interface ToolbarLink Breadcrumb Trail Button Restart Restart Link Alert Symbol Button Help Help Button Conﬁgure ConﬁgureLink Quickstart Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page WPA Version Allowed Examples Multiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears IP Gateway WAN IP InterfacesOther WAN Options Available Multiplexing types Available Encapsulation types Sustained Cell Rate SCR Transmit Priority Comments Class Link Advanced IP Static Route Entry page appears Link IP Static RoutesPage Link Pinholes Link IP Static ARP TCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static Netopia Gateway WAN Interface LAN Interface IPMaps Block Diagram192.168.1.1 192.168.1.2 Link Default Server NAT LAN STN #2 Internet Gateway Configure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link Dhcp Server Link DNS Configure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure 100 Link UPnP 101 Link LAN Management 102 Link Advanced Ethernet Bridge 103 Conﬁguring for Bridge Mode 104 Enable Concurrent Bridging/Routing checkbox 105 106 Link Vlan 107 108 Enable Multiple Wireless IDs onVlan Port Conﬁguration screen appears 109 110 111 Link Syslog Parameters 112 Log Event Messages Administration Related Log Messages113 System Log Messages 114 Access-related Log MessagesDSL Log Messages most common Mented packet 115 Link Software Hosting Link Internal Servers116 List of Supported Games and Software 117 FTP 118 119 Rename a UserPC 120 Link Clear Options 121 Link Time Zone Button Security Security122 123 Link Passwords 124 Link Firewall Conﬁguring for a BreakWater Setting125 Use a Netopia Firewall 126 Tips for making your BreakWater Basic Firewall Selection 127Basic Firewall Background 128 BreakWater Setting ClearSailing SilentRunning LANdLocked 129 130 Link IPSec 131 SafeHarbour IPSec VPN Conﬁguring a SafeHarbour VPN 132 133 IPSec Tunnel Details Parameter Setup Worksheet Parameter Descriptions on page 136 as required 134 Make the Tunnel Details entries 135 Parameter Descriptions 136Field Description PAT Address 137 Soft MBytes 138 139 Link Stateful Inspection Stateful Inspection Firewall installation procedure140 141 Exposed Addresses 142 143 144 Stateful Inspection Options 145 Open Ports in Default Stateful Inspection InstallationPort Protocol Description LAN Private WAN Public Interface General ﬁrewall terms Firewall TutorialBasic IP packet components 146 147 Basic protocol types Firewall design rules Example TCP/UDP Ports TCP Port Service148 Firewall Logic Implied rules 149 Example ﬁlter set 150 151 Filter basicsWhat it means Example network 152 Example ﬁltersExample 153 154 Link Packet Filter How ﬁlter sets work What’s a ﬁlter and what’s a ﬁlter set?155 156 How individual ﬁlters workFilter priority ﬁltering rule 157Parts of a ﬁlter Port numbers 158Port number comparisons Other ﬁlter attributes 159Putting the parts together Filtering example #1 160 161 Filtering example #2 162 Design guidelines An approach to using ﬁlters163 Adding a ﬁlter set Working with IP Filters and Filter Sets164 165 Adding ﬁlters to a ﬁlter set Netopia Router 166 167 Enter the Source Mask for the source IP address 168 Viewing ﬁlters 169 170 Deleting a ﬁlter setModifying ﬁlters Deleting ﬁlters 171 Associating a Filter Set with an Interface 172 TOS ﬁeld matching Policy-based Routing using Filtersets173 174 175 Link Security Log Using the Security Monitoring Log176 177 Timestamp Background 178 Button Install Install179 180 Link Install Software Netopia ﬁrmware Image File Required Files181 182 Click the Install Software button Verify the Netopia Firmware Release 183 Use Netopia Software Feature Keys Link Install KeysObtaining Software Feature Keys Procedure Install a New Feature Key File 185 186 To check your installed features 187 188 Link Install Certiﬁcate 189 190 191 Basic Troubleshooting 192 Status Indicator LightsAction Ethernet Ethernet 1, 2, 3 193 194 Wireless DSL Sync 195 196 Special patterns 197 LAN 1, 2, 3 198 DSL Sync 199 200 Front View 201 LED Function Summary Matrix EN Link Unlit 202Active Link 203 Factory Reset Switch 2247NWG 3397GP3347W/3357W 2240N 205 Advanced Troubleshooting 206 Home Status of Connection 207 Button Troubleshoot Expert Mode208 209 Link System Status 210 Link Ports Ethernet 211 Link Ports DSL 212 Link IP Interfaces 213 Link DSL Circuit Conﬁguration 214 Link System Log Entire 215 Link Diagnostics 216 Link Network Tools 217 If Ping is not successful, possible causes are 218 219 220 221 Command Line Interface 222 Overview 223 Command Verbs Status and/or DescriptionKeywords Logging Starting and Ending a CLI SessionEnding a CLI Session 224 About Shell Commands Using the CLI Help FacilitySaving Settings Shell Command Shortcuts Common Commands Shell Commands Download serveraddress ﬁlename conﬁrm DiagnoseDownload -cert serveraddress ﬁlename conﬁrm 227 License key Install serveraddress ﬁlename conﬁrmLoglevel level 228 Netstat -r Netstat229 Reset atm Reset arpReset crash Reset dhcp server Reset log Reset ipmapReset security-log Reset wan-users all ip-address Show conﬁg Show featuresShow crash Show dhcp agent Show ip interfaces Show ip igmpShow ip ipsec Show ip ﬁrewall Show wireless clients MACaddress Show wireless allShow log Show memory all View conﬁg Upload serveraddress ﬁlename conﬁrmWho 235 WAN Commands Config Mode Prompt About Config CommandsNavigating the Config Hierarchy 238 Netopia-3000/9437188 top quit Set ip ethernet a ipaddress Entering Commands in Config ModeSet ip ethernet a 239 Displaying Current Gateway Settings Guidelines Config CommandsStep Mode a CLI Conﬁguration Technique 240 241 Validating Your Conﬁguration DSL Commands Config Commands Set atm vcc n qos max-burst-size 1 ...n Set atm vcc n qos sustained-cell-rate 1 ...nSet atm vcc n vpi 0 Set atm vcc n vci 0 Set atm vccn pppoe-sessions 1 Bridging SettingsSet bridge sys-bridge on off Set bridge concurrent-bridging-routing on off Dhcp Settings Set bridge table-timeout 30Set bridge ethernet option on off Set bridge dsl vccn option on off Set dhcp end-address ipaddress Set dhcp start-address ipaddressSet dhcp lease-time lease-time Set dhcp server-address ipaddress Set dmt wiringMode auto tipring AA1 DMT SettingsSet dmt metallic-termination auto disabled alwayson Set dmt autoConﬁg off on Set dns proxy-enable Domain Name System SettingsSet dns domain-name domain-name Set dns primary-address ipaddress Set igmp snooping off on Igmp SettingsSet igmp robustness value Set igmp query-intvl value Set ip arp-timeout 60 IP SettingsSet ip option on off Set ip dsl vccn address ipaddress Set ip dsl vccn netmask netmask Set ip dsl vccn restriction admin-disabled noneSet ip dsl vccn addr-mapping on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5 Set ip ethernet a option on off Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5Set ip ethernet a address ipaddress Set ip ethernet a broadcast broadcastaddress Set ip ethernet a netmask netmask Set ip ethernet a restrictions none admin-disabledSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 253 Set ip gateway option on off Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5Set ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn option on off Set ip ip-ppp vccn address ipaddress Set ip ip-ppp vccn restriction admin-disabled noneSet ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5256 Set ip igmp-forwarding off on Set ip static-arp ip-addressipaddressSet ip ipsec-passthrough off on 257 Set diffserv option off on Set ip prioritize off onSet diffserv lohi-ratio 60 100 percent 258 259 Set ip static-routes destination-networknetaddress Set ip sip-passthrough on off260 261 Delete ip static-routes destination-network netaddress Network Address Translation NAT Default Settings IPMaps Settings Network Address Translation NAT Pinhole Settings Set nat-default host-hardware-address MACaddressSet pinhole name name Set pinhole name name protocol-select tcp udp PPPoE /PPPoA Settings Set ppp module vccn magic-number on off Set ppp module vccn mru integerSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on off Set ppp module vccn conﬁgure-max integer Set ppp module vccn restart-timer integerSet ppp module vccn terminate-max integer Set ppp module vccn connection-type instant-on always-on Set ppp module vccn port-authentication password password Set ppp module vccn port-authentication username usernameEthernet Port Settings Command Line Interface Preference Settings 268 Set preference more lines Set servers web-http 1 Port Renumbering SettingsSet servers telnet-tcp 1 269 Set security ipsec option off on off Security SettingsSet security ipsec tunnels name 270 271 Set security ipsec tunnels name 123 tun-enable on on off 272 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 Set security ipsec tunnels name 123 xauth password password Set security ipsec tunnels name 123 xauth enable off onSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue274 275 276 Set security state-insp tcp-timeout 30 Set security state-insp xposed-addr exposed-address# n Set security state-insp udp-timeout 30277 278 Packet Filtering Settings 279 280 281 Snmp Settings Set snmp notify type v1-trap v2-trap inform System SettingsSet system name name 283 Set system username administrator name user name Set system idle-timeout telnet 1...120 http 1Set system log-size 10240 Set system persistent-log off on Sleep Contact-email string@domainname location string Set system password admin user285 286 Set system zerotouch redirect-url redirection-URL Set system zerotouch option on off287 Syslog Set security state-insp eth B option on 289 Wireless Settings supported models Set wireless multi-ssid option on off Set wireless mode both-b-and-g b-only g-only291 292 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on293 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string294 Example 40bit key 02468ACE02 295Example 256bit key Set radius radius-name servernamestring Set wireless mac-auth option on offSet radius radius-secret sharedsecret Set radius alt-radius-name servernamestring Set vlan name string Set radius radius-port portnumber297 To make the Vlan vlan1 routable add the port lan-uplink 298 Set dslf-lanmgmt option off on Set upnp option on off299 300 301 302 Vdsl Settings 303 Vdsl Parameter Defaults Vdsl Parameters Accepted Values 304 Parameter 305 Etsi M2 CAB 306 307 308 309 310 311 Glossary 312 313 314 315 Ethernet crossover cable. See crossover cable 316 317 318 319 320 321 322 323 324 325 326 327 Description Software and protocols 328 329 Agency approvalsNorth America International 330 Manufacturer’s Declaration of Conformance Declaration for Canadian users 331 Australian Safety Information Important Safety InstructionsTelecommunication installation cautions 332 333 CFR Part 68 Information 334 Electrical Safety Advisory 335 Overview of Major Capabilities PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATM Wide Area Network TerminationInstant-On PPP 336 Dhcp Dynamic Host Conﬁguration Protocol Server Simpliﬁed Local Area Network SetupDNS Proxy 337 Management DiagnosticsEmbedded Web Server 338 Password Protection Remote Access Control339 Network Address Translation NAT 340 Netopia Gateway 341 Netopia Advanced Features for NATInternal Servers Pinholes 342 Default ServerCombination NAT Bypass Conﬁguration IP-Passthrough 343VPN IPSec Pass Through VPN IPSec Tunnel Termination 344Stateful Inspection Firewall SSL Certiﬁcate Support 345 Index 346 347 NAT 255, 262 348 NTP 349 350