160, Filtering example #1 | Netopia 2200 manual

•Fwd: Shows whether the ﬁlter forwards (Yes) a packet or discards (No) it when there’s a match.

•Src-IP:The packet source IP address to match.

•Src-Mask:The packet source subnet mask to match.

•Dst-IP:The packet destination IP address to match.

•Dst-Mask:The packet destination IP address to match.

•Protocol: The protocol to match. This can be entered as a number (see the table below) or as TCP or UDP if those protocols are used.

Protocol	Number to use	Full name


N/A	0	Ignores protocol type

ICMP	1	Internet Control Message Protocol

TCP	6	Transmission Control Protocol

UDP	17	User Datagram Protocol

•Src Port: The source port to match. This is the port on the sending host that originated the packet.

•Dst Port: The destination port to match. This is the port on the receiving host for which the packet is intended.

•NC: Indicates No Compare, where speciﬁed.

Filtering example #1

Returning to our ﬁltering rule example from above (see page 157), look at how a rule is translated into a ﬁlter. Start with the rule, then ﬁll in the ﬁlter’s attributes:

•The rule you want to implement as a ﬁlter is:

“Block all Telnet attempts that originate from the remote host 199.211.211.17.”

•The host 199.211.211.17 is the source of the Telnet packets you want to block, while the destination address is any IP address. How these IP addresses are masked deter- mines what the ﬁnal match will be, although the mask is not displayed in the table that displays the ﬁlter sets (you set it when you create the ﬁlter). In fact, since the mask for the destination IP address is 0.0.0.0, the address for Destination IP address could have been anything. The mask for Source IP address must be 255.255.255.255 since an exact match is desired.

160

Image 160

Netopia 2200 manual 160, Filtering example #1

Contents

Netopia Software User Guide Copyright Table of Contents Expert Mode Security 146 Basic Troubleshooting Command Line Interface 221 Table of Contents Glossary Overview of Major Capabilities Index Introduction What’s New About Netopia Documentation Intended Audience Command Line Interface Documentation ConventionsGeneral Internal Web Interface Bold terminal type User-entered text face Organization Word About Example ScreensPage Basic Mode Setup Important Safety Instructions Power Supply Installation Achtung Wichtige SicherheitshinweiseBewahren Sie diese Anweisungen auf Setting up the Netopia Gateway Microsoft Windows Then go to Step Macintosh MacOS 8 or higher or Mac OS Proceed to Conﬁguring the Netopia Gateway on Conﬁguring the Netopia Gateway MiAVo Vdsl and Ethernet WAN models Quickstart Click the Connect to the Internet button PPPoE Quickstart Configuring the Netopia Gateway Netopia Gateway Status Indicator Lights Home Page Basic Mode DNS Link Manage My Account Link Status Details Link Enable Remote Management Link Expert Mode Link Update Firmware Link Factory Reset Accessing the Expert Web Interface Open the Web ConnectionPage Home Page Expert Mode Summary Information Home Page InformationField Status and/or Description Dhcp Navigating the Web Interface ToolbarLink Breadcrumb Trail Restart Button Restart Link Alert Symbol Help Button Help Button Conﬁgure ConﬁgureLink Quickstart Click Connect to the Internet Link LAN Configure Page Wireless supported models Privacy Configure Page Advanced Page About Closed System Mode Page Examples WPA Version Allowed Multiple SSIDs Wireless MAC Authorization Page Configure Use Radius Server Advanced Network Conﬁguration page appears IP Gateway WAN IP InterfacesOther WAN Options Available Encapsulation types Available Multiplexing types Sustained Cell Rate SCR Class Transmit Priority Comments Link Advanced Link IP Static Routes IP Static Route Entry page appearsPage Link IP Static ARP Link Pinholes TCP Tips for making Pinhole Entries Gateway Pinhole Conﬁguration Procedure. Use the following steps Page Configure Link IPMaps Ple static IPMaps Block Diagram Netopia Gateway WAN Interface LAN Interface192.168.1.1 192.168.1.2 Link Default Server Internet Gateway NAT LAN STN #2 Configure Page Link Differentiated Services Page QoS Setting TOS Bit Value Behavior Link DNS Link Dhcp Server Configure Link Radius Server Link Snmp Page Link Igmp Internet Group Management Protocol Page Configure Link UPnP 100 Link LAN Management 101 Link Advanced Ethernet Bridge 102 Conﬁguring for Bridge Mode 103 Enable Concurrent Bridging/Routing checkbox 104 105 Link Vlan 106 107 108 Enable Multiple Wireless IDs onVlan Port Conﬁguration screen appears 109 110 Link Syslog Parameters 111 112 Administration Related Log Messages Log Event Messages113 System Log Messages 114 Access-related Log MessagesDSL Log Messages most common 115 Mented packet Link Software Hosting Link Internal Servers116 117 List of Supported Games and Software 118 FTP Rename a UserPC 119 Link Clear Options 120 Link Time Zone 121 Button Security Security122 Link Passwords 123 124 Conﬁguring for a BreakWater Setting Link Firewall125 Use a Netopia Firewall 126 Tips for making your BreakWater Basic Firewall Selection 127Basic Firewall Background BreakWater Setting ClearSailing SilentRunning LANdLocked 128 129 Link IPSec 130 SafeHarbour IPSec VPN 131 132 Conﬁguring a SafeHarbour VPN IPSec Tunnel Details Parameter Setup Worksheet 133 134 Parameter Descriptions on page 136 as required 135 Make the Tunnel Details entries Parameter Descriptions 136Field Description 137 PAT Address 138 Soft MBytes 139 Link Stateful Inspection Stateful Inspection Firewall installation procedure140 Exposed Addresses 141 142 143 Stateful Inspection Options 144 145 Open Ports in Default Stateful Inspection InstallationPort Protocol Description LAN Private WAN Public Interface Firewall Tutorial General ﬁrewall termsBasic IP packet components 146 Basic protocol types 147 Example TCP/UDP Ports TCP Port Service Firewall design rules148 Firewall Logic 149 Implied rules 150 Example ﬁlter set Filter basics 151What it means Example network 152 Example ﬁltersExample 153 Link Packet Filter 154 How ﬁlter sets work What’s a ﬁlter and what’s a ﬁlter set?155 156 How individual ﬁlters workFilter priority ﬁltering rule 157Parts of a ﬁlter Port numbers 158Port number comparisons Other ﬁlter attributes 159Putting the parts together 160 Filtering example #1 161 162 Filtering example #2 Design guidelines An approach to using ﬁlters163 Adding a ﬁlter set Working with IP Filters and Filter Sets164 Adding ﬁlters to a ﬁlter set 165 166 Netopia Router 167 168 Enter the Source Mask for the source IP address 169 Viewing ﬁlters Deleting a ﬁlter set 170Modifying ﬁlters Deleting ﬁlters Associating a Filter Set with an Interface 171 172 TOS ﬁeld matching Policy-based Routing using Filtersets173 174 175 Link Security Log Using the Security Monitoring Log176 177 178 Timestamp Background Button Install Install179 Link Install Software 180 Netopia ﬁrmware Image File Required Files181 Click the Install Software button 182 183 Verify the Netopia Firmware Release Link Install Keys Use Netopia Software Feature KeysObtaining Software Feature Keys Procedure Install a New Feature Key File 185 To check your installed features 186 187 Link Install Certiﬁcate 188 189 190 Basic Troubleshooting 191 Status Indicator Lights 192Action Ethernet 193 Ethernet 1, 2, 3 Wireless 194 195 DSL Sync 196 197 Special patterns 198 LAN 1, 2, 3 199 DSL Sync Front View 200 LED Function Summary Matrix 201 202 EN Link UnlitActive Link Factory Reset Switch 203 3397GP 2247NWG3347W/3357W 2240N Advanced Troubleshooting 205 Home 206 207 Status of Connection Button Troubleshoot Expert Mode208 Link System Status 209 Link Ports Ethernet 210 Link Ports DSL 211 Link IP Interfaces 212 Link DSL Circuit Conﬁguration 213 Link System Log Entire 214 Link Diagnostics 215 Link Network Tools 216 217 218 If Ping is not successful, possible causes are 219 220 Command Line Interface 221 Overview 222 223 Command Verbs Status and/or DescriptionKeywords Starting and Ending a CLI Session LoggingEnding a CLI Session 224 Using the CLI Help Facility About Shell CommandsSaving Settings Shell Command Shortcuts Shell Commands Common Commands Diagnose Download serveraddress ﬁlename conﬁrmDownload -cert serveraddress ﬁlename conﬁrm 227 Install serveraddress ﬁlename conﬁrm License keyLoglevel level 228 Netstat -r Netstat229 Reset arp Reset atmReset crash Reset dhcp server Reset ipmap Reset logReset security-log Reset wan-users all ip-address Show features Show conﬁgShow crash Show dhcp agent Show ip igmp Show ip interfacesShow ip ipsec Show ip ﬁrewall Show wireless all Show wireless clients MACaddressShow log Show memory all Upload serveraddress ﬁlename conﬁrm View conﬁgWho 235 WAN Commands Config Mode Prompt About Config CommandsNavigating the Config Hierarchy Netopia-3000/9437188 top quit 238 Entering Commands in Config Mode Set ip ethernet a ipaddressSet ip ethernet a 239 Guidelines Config Commands Displaying Current Gateway SettingsStep Mode a CLI Conﬁguration Technique 240 Validating Your Conﬁguration 241 Config Commands DSL Commands Set atm vcc n qos sustained-cell-rate 1 ...n Set atm vcc n qos max-burst-size 1 ...nSet atm vcc n vpi 0 Set atm vcc n vci 0 Bridging Settings Set atm vccn pppoe-sessions 1Set bridge sys-bridge on off Set bridge concurrent-bridging-routing on off Set bridge table-timeout 30 Dhcp SettingsSet bridge ethernet option on off Set bridge dsl vccn option on off Set dhcp start-address ipaddress Set dhcp end-address ipaddressSet dhcp lease-time lease-time Set dhcp server-address ipaddress DMT Settings Set dmt wiringMode auto tipring AA1Set dmt metallic-termination auto disabled alwayson Set dmt autoConﬁg off on Domain Name System Settings Set dns proxy-enableSet dns domain-name domain-name Set dns primary-address ipaddress Igmp Settings Set igmp snooping off onSet igmp robustness value Set igmp query-intvl value IP Settings Set ip arp-timeout 60Set ip option on off Set ip dsl vccn address ipaddress Set ip dsl vccn restriction admin-disabled none Set ip dsl vccn netmask netmaskSet ip dsl vccn addr-mapping on off Set ip dsl vccn rip-send off v1 v2 v1-compat v2-MD5 Set ip dsl vccn rip-receive Off v1 v2 v1-compat v2-MD5 Set ip ethernet a option on offSet ip ethernet a address ipaddress Set ip ethernet a broadcast broadcastaddress Set ip ethernet a restrictions none admin-disabled Set ip ethernet a netmask netmaskSet ip ethernet a rip-send Off v1 v2 v1-compat v2-MD5 253 Set ip ethernet a rip-receive off v1 v2 v1-compat v2-MD5 Set ip gateway option on offSet ip gateway interface ip-address ppp-vccn Set ip ip-ppp vccn option on off Set ip ip-ppp vccn restriction admin-disabled none Set ip ip-ppp vccn address ipaddressSet ip ip-ppp vccn peer-address ipaddress Set ip ip-ppp vccn addr-mapping on off Set ip ip-ppp vccn rip-receive off v1 v2 v1-compat v2-MD5 Set ip ip-ppp vccn rip-send off v1 v2 v1-compat v2-MD5256 Set ip static-arp ip-addressipaddress Set ip igmp-forwarding off onSet ip ipsec-passthrough off on 257 Set ip prioritize off on Set diffserv option off onSet diffserv lohi-ratio 60 100 percent 258 259 Set ip static-routes destination-networknetaddress Set ip sip-passthrough on off260 Delete ip static-routes destination-network netaddress 261 IPMaps Settings Network Address Translation NAT Default Settings Set nat-default host-hardware-address MACaddress Network Address Translation NAT Pinhole SettingsSet pinhole name name Set pinhole name name protocol-select tcp udp PPPoE /PPPoA Settings Set ppp module vccn mru integer Set ppp module vccn magic-number on offSet ppp module vccn protocol-compression on off Set ppp module vccn lcp-echo-requests on off Set ppp module vccn restart-timer integer Set ppp module vccn conﬁgure-max integerSet ppp module vccn terminate-max integer Set ppp module vccn connection-type instant-on always-on Set ppp module vccn port-authentication username username Set ppp module vccn port-authentication password passwordEthernet Port Settings Command Line Interface Preference Settings Set preference more lines 268 Port Renumbering Settings Set servers web-http 1Set servers telnet-tcp 1 269 Security Settings Set security ipsec option off on offSet security ipsec tunnels name 270 Set security ipsec tunnels name 123 tun-enable on on off 271 Set security ipsec tunnels name 123 IKE-mode DH-group 1 1 2 272 Set security ipsec tunnels name 123 xauth enable off on Set security ipsec tunnels name 123 xauth password passwordSet security ipsec tunnels name 123 nat-enable on off Set security ipsec tunnels name 123 xauth username username Set security ipsec tunnels name 123 remote-id idvalue Set security ipsec tunnels name 123 local-id idvalue274 275 Set security state-insp tcp-timeout 30 276 Set security state-insp xposed-addr exposed-address# n Set security state-insp udp-timeout 30277 Packet Filtering Settings 278 279 280 281 Snmp Settings System Settings Set snmp notify type v1-trap v2-trap informSet system name name 283 Set system idle-timeout telnet 1...120 http 1 Set system username administrator name user nameSet system log-size 10240 Set system persistent-log off on Sleep Contact-email string@domainname location string Set system password admin user285 286 Set system zerotouch redirect-url redirection-URL Set system zerotouch option on off287 Syslog 289 Set security state-insp eth B option on Wireless Settings supported models Set wireless multi-ssid option on off Set wireless mode both-b-and-g b-only g-only291 292 Set wireless tx-power full medium fair low minimal Set wireless no-bridging off on293 Set wireless network-id privacy default-keyid Set wireless network-id privacy pre-shared-key string294 Example 40bit key 02468ACE02 295Example 256bit key Set wireless mac-auth option on off Set radius radius-name servernamestringSet radius radius-secret sharedsecret Set radius alt-radius-name servernamestring Set vlan name string Set radius radius-port portnumber297 298 To make the Vlan vlan1 routable add the port lan-uplink Set dslf-lanmgmt option off on Set upnp option on off299 300 301 Vdsl Settings 302 Vdsl Parameter Defaults 303 304 Vdsl Parameters Accepted Values 305 Parameter 306 Etsi M2 CAB 307 308 309 310 Glossary 311 312 313 314 315 316 Ethernet crossover cable. See crossover cable 317 318 319 320 321 322 323 324 325 326 Description 327 328 Software and protocols Agency approvals 329North America International Manufacturer’s Declaration of Conformance 330 331 Declaration for Canadian users Important Safety Instructions Australian Safety InformationTelecommunication installation cautions 332 CFR Part 68 Information 333 Electrical Safety Advisory 334 Overview of Major Capabilities 335 Wide Area Network Termination PPPoE/PPPoA Point-to-Point Protocol over Ethernet/ATMInstant-On PPP 336 Simpliﬁed Local Area Network Setup Dhcp Dynamic Host Conﬁguration Protocol ServerDNS Proxy 337 Diagnostics ManagementEmbedded Web Server 338 Remote Access Control Password Protection339 Network Address Translation NAT Netopia Gateway 340 Netopia Advanced Features for NAT 341Internal Servers Pinholes 342 Default ServerCombination NAT Bypass Conﬁguration IP-Passthrough 343VPN IPSec Pass Through 344 VPN IPSec Tunnel TerminationStateful Inspection Firewall SSL Certiﬁcate Support Index 345 346 NAT 255, 262 347 NTP 348 349 350