TCP/IP packet filtering

After the filter name, rule number and permit/deny, IP rules start with the following parameters:

<source address/mask> <destination address/mask> <tcp udp icmp>

Depending on the protocol, there can be more options following these parameters. See TCP and UDP parameters and Filtering ICMP packets (below) for more information.

Source Address

The address given here is compared to the source address of the packet. Note that only the part of the address specified by the mask field is used in the comparison. If a match is found, the packet is forwarded (rules containing permit) or discarded (rules containing deny).

The following rule example permits source addresses that match the first 16 bits of the given IP address (that is, addresses begin- ning with 192.77):

permit 192.77.200.203/16

Note: The source address and destination address fields gener- ally are used to limit permitted access to trusted hosts and networks only, to explicitly deny access to hosts and networks that are not trusted, or to limit external access to a given host (for example, a web server or a firewall). For example, the following rule permits (SMTP) E-mail packets only if they are from the host 192.77.203.24.

permit 192.77.203.24/32 0.0.0.0/0 tcp dst eq 25

8-8 Packet Filters

Page 122
Image 122
USRobotics NETServer/8, NETServer/16 manual TCP/IP packet filtering