How individual ﬁlters work, ﬁlter’s actions | Netopia R3100 manual

Security 15-7

How individual ﬁlters work

As described above, a ﬁlter applies criteria to an IP packet and then takes one of three actions:

A ﬁlter’s actions

■Passes the packet to the local or remote network

■Blocks (discards) the packet

■Ignores the packet

A ﬁlter passes or blocks a packet only if it ﬁnds a match after applying its criteria. When no match occurs, the ﬁlter ignores the packet.

The criteria are based on information contained in the packets. A ﬁlter is simply a rule that prescribes certain actions based on certain conditions. For example, the following rule qualiﬁes as a ﬁlter:

A ﬁltering rule

Block all Telnet attempts that originate from the remote host 199.211.211.17.

This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match occurs, the packet is blocked.

Here is what this rule looks like when implemented as a ﬁlter on the Netopia R3100:

+-#--	Source IP Addr--	Dest IP Addr-----	Proto-Src.Port-D.Port--	On?-Fwd-+
+--------------------------------------------------------------------				+
1	199.211.211.17	0.0.0.0	TCP 23	Yes No
+--------------------------------------------------------------------				+

To understand this particular ﬁlter, look at the parts of a ﬁlter.

Parts of a ﬁlter

A ﬁlter consists of criteria based on packet attributes. A typical ﬁlter can match a packet on any one of the following attributes:

■The source IP address (where the packet was sent from)

■The destination IP address (where the packet is going)

■The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP

Image 185

Netopia R3100 manual How individual ﬁlters work, ﬁlter’s actions, ﬁltering rule, Parts of a ﬁlter

Contents

Netopia R3100 Isdn Routers Part Number Contents Ii User’s Reference Guide Part II Advanced Configuration Iv User’s Reference Guide Aurp Vi User’s Reference Guide Part III Appendixes Viii User’s Reference Guide Contents User’s Reference Guide Conﬁguration options for your Netopia R3100 Isdn Router Small Ofﬁce connection to the Internet Small Ofﬁce connection to the Internet Direct Connection to a Corporate Ofﬁce Telecommuter Conﬁgured to accept incoming dial-up connections Conﬁgured for Idsl Part I Getting Started User’s Reference Guide Chapter Introduction Features and capabilitiesOverview Introduction How to use this guide Find a location Chapter Making the Physical ConnectionsWhat you need Making the Physical Connections Identify the connectors and attach the cables Netopia R3100 Isdn Router Back Panel Ports Cable to your router on Services on Netopia R3100 LED front panel Netopia R3100 Isdn Router Status Lights Setting up your Router with the SmartStart Wizard Chapter Setting up your Router with the SmartStart Wizard Before running SmartStart SmartStart Wizard conﬁguration screens Setting up your Router with the SmartStart Wizard Easy option Easy or Advanced setup Setting up your Router with the SmartStart Wizard User’s Reference Guide Setting up your Router with the SmartStart Wizard User’s Reference Guide Advanced option Connection Proﬁle screen on Conﬁguration tab Dynamic conﬁguration recommended Static conﬁguration optional Add. Repeat this process for the secondary DNS TCP/IP Conﬁguring TCP/IP on Macintosh computers TCP/IP or MacTCP Dynamic conﬁguration using MacIP optional Setting up your Router with the SmartStart Wizard User’s Reference Guide Connecting Your Local Area Network Chapter Connecting Your Local Area Network Readying computers on your local network 10Base-T Connecting to an Ethernet network 10BASE-T Remote console Connecting to a LocalTalk network Wiring guidelines for PhoneNET cabling User’s Reference Guide SmartView Chapter SmartViewSmartView overview General Machine information Navigating SmartView Event history pages Connection Proﬁles Device Event History WAN Event History Standard Html web-based monitoring pages User’s Reference Guide Console-based Management Chapter Console-based ManagementAbout Console-based Management Connecting through a Telnet session Conﬁguring Telnet software Connecting a local terminal console cable to your router PC ANSI-BBS Navigating through the console screens User’s Reference Guide Easy Setup console screens Chapter Easy SetupHow to access the Easy Setup console screens Easy Setup See Appendix A, Troubleshooting, for more suggestions Isdn Easy Setup Beginning Easy Setup PPP Cancel Idsl Easy Setup Previous Screen Easy Setup Proﬁle User’s Reference Guide Previous Screen Next Screen IP Easy Setup Easy Setup Security Conﬁguring Frame Relay Isdn Easy Setup Frame Relay screens WAN Conﬁguration Frame Relay screens Setup Isdn Line Configuration Frame Relay conﬁguration Easy Setup Frame Relay Dlci conﬁguration Displaying a Frame Relay Dlci conﬁguration table Changing a Frame Relay Dlci conﬁguration Adding a Frame Relay Dlci conﬁguration ADD Dlci NOW Cancel Deleting a Frame Relay Dlci conﬁguration Part II Advanced Configuration User’s Reference Guide WAN and System Conﬁguration Chapter WAN and System ConfigurationCreating a new Connection Proﬁle Add Connection Proﬁle screen appears IPX Profile Parameters Remote IPX Network BAP Telco Options Initiate Data Service 64 kb/sec Dial Default Proﬁle How the default proﬁle works Configuration Default Profile Customizing the Default Proﬁle IP parameters default proﬁle screen WAN and System Conﬁguration Auxiliary Port Conﬁguration IPX parameters default proﬁle screen System Conﬁguration screens System Conﬁguration features PAP Filter Sets Firewalls Network Protocols SetupIP Address Serving Date and Time MM/DD/YY Console Conﬁguration Upgrade Feature SetSnmp Simple Network Management Protocol Security Logging Telephone setup Nov Specifying telephone connections Chapter Using SmartPhone for Telephone ServicesUsing SmartPhone for Telephone Services Inbound Directory Number Using SmartPhone for Telephone Services Preview Ring Deﬁning priority ringing Line provisioning Advanced calling features Conﬁguring supplementary services Call Accounting and Default Answer Proﬁle Chapter Call Accounting and Default Answer ProfileCost control feature -- call accounting Viewing call accounting statistics Call Accounting Statistics screen appears Scheduled connections Viewing scheduled connections Adding a scheduled connection Set Weekly Schedule Set Once-Only Schedule How the Default Answer Proﬁle works Default Answer ProﬁleModifying a scheduled connection Deleting a scheduled connection Customizing the default proﬁle Call Accounting and Default Answer Proﬁle Call acceptance scenarios IP Setup and Network Address Translation Chapter IP Setup and Network Address TranslationNetwork Address Translation features HOW NAT Works Using Network Address Translation ISP Network Address Translation guidelines Using multiple Connection ProﬁlesAssociating port numbers to nodes IP setup IP Setup and Network Address Translation Select Add Export. The Add Exported Service screen appears IP Setup IP subnets IP Setup and Network Address Translation Static routes Viewing static routes Adding a static route Deleting a static route Rules of static route installationModifying a static route Main System IP Address Menu Configuration Serving 163.176.56.90 Dhcp NetBIOS Options MacIP Kip Forwarding Options You have ﬁnished your IP Setup IPX Features Chapter IPX SetupIPX Setup IPX Deﬁnitions IPX address Service Advertising Protocol SAPSocket Routing Information Protocol RIP IPX Spooﬁng NetBIOSIPX setup Default Gateway Address IPX routing tables User’s Reference Guide AppleTalk Setup Chapter AppleTalk SetupInstalling AppleTalk AppleTalk protocol AppleTalk networks AppleTalk Setup Aurp MacIP Routers and seeding Conﬁguring AppleTalk EtherTalk Setup LocalTalk Setup Aurp Free Trade Zone Aurp setupViewing Aurp partners Modifying an Aurp partner Adding an Aurp partner Conﬁguring Aurp Options Deleting an Aurp partnerReceiving Aurp connections User’s Reference Guide Monitoring Tools Chapter Monitoring ToolsQuick View status overview General status Status lights Current status General Statistics Statistics & Logs Network Interface Event historiesPhysical Interface Request from our DN WAN Event History Device Event History Routing tables IP routing table AppleTalk routing table IPX routing tableIPX Sap Bindery table Served IP Addresses IP Address Lease Management screen appears Snmp System Information Community strings Snmp Setup screen Snmp traps Viewing IP trap receivers Setting the IP trap receiversModifying IP trap receivers Deleting IP trap receivers User’s Reference Guide Security Chapter SecuritySuggested security measures Protecting the conﬁguration screens User accountsProtecting the Security Options screen Dial-in Console Access Telnet access Enable SmartStart/SmartView/Web ServerAbout ﬁlters and ﬁlter sets What’s a ﬁlter and what’s a ﬁlter set? Filter priority How ﬁlter sets work Packet First filter Match? Yes ﬁlter’s actions How individual ﬁlters workﬁltering rule Parts of a ﬁlter Port number comparisons Port numbers Putting the parts together Other ﬁlter attributes Filtering example #1 UDP Filtering example #2 Design guidelines Disadvantages of ﬁlters An approach to using ﬁltersWorking with IP ﬁlters and ﬁlter sets Adding a ﬁlter set Input and output ﬁlters-source and destination Naming a new ﬁlter set Adding ﬁlters to a ﬁlter set Netopia R-series Router ADD this Filter NOW Cancel Viewing ﬁlters Viewing ﬁlter setsModifying ﬁlters Deleting ﬁlters Sample IP ﬁlter set Modifying ﬁlter setsDeleting a ﬁlter set TCP Icmp UDP Possible modiﬁcations Security IPX ﬁlters Adding a packet ﬁlter IPX packet ﬁltersViewing and modifying packet ﬁlters Deleting a packet ﬁlter IPX packet ﬁlter setsViewing and modifying packet ﬁlter sets Adding a packet ﬁlter set ADD Filter SET NOW Cancel Viewing and modifying SAP ﬁlters IPX SAP ﬁltersDeleting a packet ﬁlter set Adding a SAP ﬁlter Deleting a SAP ﬁlter IPX SAP ﬁlter setsViewing and modifying SAP ﬁlter sets Adding a SAP ﬁlter set Deleting a SAP ﬁlter set Basic Protocol Types Firewall tutorial General Firewall TermsBasic IP Packet Components Firewall Logic Firewall design rulesExample TCP/UDP Ports Implied Rules Binary RepresentationLogical ANDing Example IP Filter Set Screen Filter BasicsEstablished Connections Example Example FiltersExample Network Example Example Using the SecurID token card Token Security AuthenticationKey Security Authentication Features of the Netopia R3100 Securing network environments Conﬁguring for security authentication Security authentication components Establishing a dial-on-demand DOD connection call Connecting using security authentication Current Connection Status Establishing a manual connection call User’s Reference Guide Utilities and Diagnostics Chapter Utilities and Diagnostics Start Ping Ping Utilities and Diagnostics Stop Ping Telnet client Telnet client screen appears Trace Route Secure Authentication Monitor Transferring conﬁguration and ﬁrmware ﬁles with Tftp Factory defaultsDisconnect Telnet Console Session Updating ﬁrmware Uploading conﬁguration ﬁles Downloading conﬁguration ﬁles Transferring conﬁguration and ﬁrmware ﬁles with Xmodem Do you want to send a saved configuration to your Netopia? Restarting the system Isdn Switch Loopback Test User’s Reference Guide If the loopback test fails Part III Appendixes User’s Reference Guide Troubleshooting A-1 Appendix a TroubleshootingConﬁguration problems Network problems SmartStart TroubleshootingConsole connection problems How to get support Power outagesTechnical support Before contacting Netopia FAX-Back Online product information Finding an Isdn service provider Appendix B Setting Up Telco ServicesObtaining an Isdn line Choosing an Isdn line Isdn Ordering Codes Setup tipsPhysical Isdn line Outside North America only Switch protocol typeDirectory and Spid numbers U models only Circuit ID number U models only Long-distance Isdn calls North American models only Testing the Isdn line Completing the Isdn worksheet Isdn Telco Worksheet for North America Isdn Telco Worksheet for Outside North America User’s Reference Guide North American Telco Provisioning for Isdn Appendix C North American Telco Provisioning for Isdn User’s Reference Guide Finding an Internet service provider Appendix D Setting Up Internet ServicesSetting Up Internet Services D-1 Unique requirements Pricing and support Setting up a Netopia R3100 accountISP’s Point of presence Endorsements Deciding on an ISP account Local LAN IP address information to obtain Obtaining information from the ISPWith Network Address Translation Remote WAN IP address information to obtain Remote WAN IP address information to obtain Appendix E Understanding IP Addressing What is IP?About IP addressing Understanding IP Addressing E-1 Subnets and subnet masks Subnet masks Example Using subnets on a Class C IP internetUnderstanding IP Addressing E-3 ISP Network Network conﬁguration Distributing IP addresses Example Working with a Class C subnetUnderstanding IP Addressing E-5 Background Technical note on subnet masking Conﬁguration Netopia R3100 Dhcp Server CharacteristicsUnderstanding IP Addressing E-7 Dhcp Address Serving Manually distributing IP addresses Using address servingTips and rules for distributing IP addresses MacIP Serving Dhcp example Understanding IP Addressing E-9 Internet Nested IP subnets Understanding IP Addressing E-11 Packet header types Broadcasts Network Conﬁguration Appendix F Understanding Netopia NAT BehaviorBackground Understanding Netopia NAT Behavior F-1 User’s Reference Guide Understanding Netopia NAT Behavior F-3 Router Netopia Router Netopia Understanding Netopia NAT Behavior F-5 Exported services Important notes Understanding Netopia NAT Behavior F-7 Summary Understanding Frame Relay G-1 Appendix G Understanding Frame RelayVirtual Circuits Excess Burst Size Be Committed Information Rate CIRCommitted Burst Size Bc Local and Global DLCIs AddressingLocal Management Interface LMI Understanding Frame Relay G-3 Frame Relay partial mesh support Encapsulation and FragmentationNetwork Protocol Addressing and Virtual Interfaces Understanding Frame Relay G-5 User’s Reference Guide Leased line events Appendix H Event HistoriesIsdn events Event Histories Isdn event cause codes Event Histories User’s Reference Guide Event Histories User’s Reference Guide Deﬁnitions Appendix Isdn Conﬁguration GuideAbout SPIDs Isdn Conﬁguration Guide Dynamic B-channel usage Example SPIDs Other incoming call restrictions User’s Reference Guide Binary Conversion Table J-1 Appendix J Binary Conversion Table Decimal Binary Further Reading K-1 Appendix K Further Reading User’s Reference Guide Further Reading K-3 User’s Reference Guide Pinouts for Auxiliary Port Modem Cable Appendix L Technical Specifications and Safety InformationTechnical Speciﬁcations and Safety Information L-1 DSR Technical Speciﬁcations and Safety Information L-3 Power requirementsDescription Environment Regulatory notices Agency approvalsNorth America International Technical Speciﬁcations and Safety Information L-5 Declaration for Canadian users Important safety instructionsAustralian Safety Information Battery Technical Speciﬁcations and Safety Information L-7Telecommunication installation cautions User’s Reference Guide Glossary Glossary User’s Reference Guide Glossary User’s Reference Guide Glossary Remapping See network number remapping Glossary User’s Reference Guide Index-1 Index Index-2 ISP Index-3 NAT Index-4 Spid Index-5 Index-6 Limited Warranty and Limitation of Remedies Limited Warranty and Limitation of Remedies User’s Reference Guide