Netopia R5100, R5200, R5300 HH, rrkk, oorr, wwoo, ss ww, aallll ff, uuaa, dduu, vviiiidd, ddiiii vv, nndd, ww iiii nn, ooww, HHoo, kk

Security 13-7

HHHHoooowwww iiii nnnnddddiiii vvvviiiidddduuuuaaaallll ff

ffiiii lllltt

ttee

eerr

rrss

ss wwwwoooorrrrkkkk

As described above, a ﬁlter applies criteria to an IP packet and then takes one of three actions

AA ff

ffiiiilllltt

ttee

eerr

rr’’’’ss

ss aa

aacc

cctt

ttiiiioo

oonn

nnss

■forwards the packet to the local or remote network

■Blocks (discards) the packet

■Ignores the packet

A ﬁlter forwards or blocks a packet only if it ﬁnds a match after applying its criteria. When no match occurs, the

ﬁlter ignores the packet.

AA ff

ffiiiilllltt

ttee

eerr

rriiiinn

nngg

gg rr

rruu

uullllee

The criteria are based on information contained in the packets. A ﬁlter is simply a rule that prescribes certain

actions based on certain conditions. For example, the following rule qualiﬁes as a ﬁlter:

Block all Telnet attempts that originate from the remote host 199.211.211.17.

This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match

occurs, the packet is blocked.

Here is what this rule looks like when implemented as a ﬁlter on the Netopia R5000 Series Router:

To understand this particular ﬁlter, look at the parts of a ﬁlter.

PP aa

aarr

rrtt

ttss

ss oo

ooff

ff aa

aa ff

ffiiiilllltt

ttee

eerr

A ﬁlter consists of criteria based on packet attributes. A typical ﬁlter can match a packet on any one of the

following attributes:

■The source IP address (where the packet was sent from)

■The destination IP address (where the packet is going)

■The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP

PP oo

oorr

rrtt

tt nn

nnuu

uumm

mmbb

bbee

eerr

rrss

A ﬁlter can also match a packet’s port number attributes, but only if the ﬁlter’s protocol type is set to TCP or

UDP, since only those protocols use port numbers. The ﬁlter can be conﬁgured to match the following:

■The source port number (the port on the sending host that originated the packet)

■The destination port number (the port on the receiving host that the packet is destined for)

+-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+

+--------------------------------------------------------------------+

| 1 199.211.211.17 0.0.0.0 TCP 23 Yes No |

+--------------------------------------------------------------------+