Filtering Icmp packets, Type Description | USRobotics NETServer/16

Filtering ICMP packets

ICMP packets can only be filtered by type. So, the only option is:

type <icmp message type>

The ICMP message types are listed below. Note that most of them are error messages necessary for the correct operation of TCP/IP:

Type Description

0Echo Reply (Ping)

3Destination Unreachable

4Source Quench

5Redirect (change route)

8Echo Request (Ping)

11Time Exceeded for a Datagram

12Parameter Problem on a Datagram

13Timestamp Request

14Timestamp Reply

15Information Request

16Information Reply

17Address Mask Request

18Address Mask Reply

If you are concerned about security, filter out incoming type 5 messages. Sending ICMP redirects is an easy way for a vandal to change your routing tables.

deny icmp type 5

Although PING is useful for troubleshooting, it allows a poten- tial intruder to obtain a map of your network by systematically pinging every possible address. If you think this is a security risk, then filter out incoming type 8 packets or outgoing echo replies (type 0).

Packet Filters 8-15

Image 129

USRobotics NETServer/16, NETServer/8 manual Filtering Icmp packets, Type Description

Contents

NETServer/8 NETServer/16 Page Table of Contents Network Dial-in Access Reference Section Administrative Tools Limited Warranty Warranty and Service Service and Support Technical SupportVii Viii We welcome your suggestions for better documentation What’s New with Release 3.1? Chapter OverviewAdditional Software Enhancements Overview IP Address Spoofing Netmask TableAccounting Servers Accounting Server Support Randomized Hosts Multiple Name ServersRadius Accounting and ANI/DNIS Icmp Message Logging New Modem Port Features NETServer Overview IP Modem Sharing How do I get there from here? Security Administrative Utilities Chapter Basic Installation System Administrator RequirementsBasic Installation TCP/IP Reference Material Accessing the Command Line Getting Started First step for IPX or IP/IPX networks Getting the LAN port up and running Basic Installation IP Configuration You must also set the Broadcast Address. Type the following Ethernet802.3 ethernet802.2 ethernet802.2II ethernetII IPX Configuration Final Steps Recommended Global Configuration PasswordIP and IPX Default Gateways To set the IP gateway, type the following Save your work Name Service Basic Installation Chapter Configuration Overview How to Setup ApplicationsConfiguration Overview Application Section Where do I go from here? Commands are not case sensitive Command LineYou can abbreviate commands Separate a parameter and its value by a space Reboot when necessary Reset any ports you have changedHow to log out of the command line Save your changes Quick Command Overview Overview of configurable tables Global ConfigurationHosts Table Net0 LAN Port Configuration Initialization Script ConfigurationLocation Table Netmasks Table Packet Filter Table Port Type Port Configuration Routes Table Snmp Configuration User Table Configuration Overview Chapter IP Terminal Server Setup Terminal or Workstation SetupIP Terminal Server Setup NETServer Terminal Server Setup Overview Port Default Global DefaultUser Table Configuring a Port Terminal Server Detailed SetupSet the port type to User Login Set the port’s security Pass-Thru Login Create default user settings for the port Port Default Login Service Optional Friendly Stuff Save sport # Configure the user Adding a Remote User to the User TableAdd the user to the User Table Login Service Configure for dialback use? Example IP Terminal Server Case Studies NETServer will use ports 6, 7, and 8 for this application Save your work and reset all the ports Example IP Terminal Server Setup Chapter Network Dial In Access Dial-in User SetupNetwork Dial In Access Prework NETServer Setup for Network Dial-In Overview Configuration NETServer Dial-In Detailed Setup Dialback Users on this Port? Save the changes to flash memory Normal or dialback user? Create a new user Add configuration information for the user This is the user’s IP subnet mask. Use the following command Option can be any one of the following Configure the ports IP Remote Access Case Study Create a user table entry for the dialback user Create user table entries for the dial in users Save your work and reset the ports Connecting to the NETServer IPX Remote Access Create User Table entries for the dial in users Setup for NETServer Routing Overview Chapter LAN-to-LAN RoutingLAN-to-LAN Routing IPX routing LAN-to-LAN Routing NETServer Routing An Introduction to NETServer Routing LAN-to-LAN Routing How RIP Dynamically Builds the Routing Table Static vs. Dynamic Routes Establishing Connections to Remote Gateways How Packets are Routed Routing Procedure PAP Password Authentication Protocol PAP/CHAP Authentication Chap Setup for the NETServer Chap Challenge Example Configuring the Port LAN-to-LAN Routing Detailed Setup Creating a Dial-Out Group Adding a Remote Device to the Location Table Create a new location table entrySet Required Location Parameters This is the remote device’s IP address Set location location name netmask netmask Dial Group Number Multiple lines for a single connection Maximum Ports Create a Dial Script Set location Chicago script 1 atds slot#\r Connect Adding the Remote Device to the User Table Create a User Table EntryTell the NETServer about the Remote Device Set user user name protocol ppp slip Set netuser user name compression on off LAN-to-LAN Routing Case Study Add netuser nsb password xyzabc Setting Up NETServer a Setting Up NETServer B Now, save your work and reset the ports Testing the Connection What If I Don’t Want to Use Chap Authentication? Connecting to NETServer a from NETServer B Chapter Talking to the Modems Configure the port as a host deviceTCP/IP Modem Sharing Assign the modem a TCP port number Turn modem control carrier detect off Save your work and reset the port Implementing Security with Host Device Dial Out Configuring modems as Unix pseudo TTYs Talking to the Modems How To Modem Initialization ScriptsAdd a New Initialization Script Assign Text to an Initialization Script Use an Existing Initialization Script Delete an Initialization ScriptDisplaying an Initialization Script Initialization Script Example Default initialization string Sending AT commands to the modems Talking to the Modems Chapter Packet Filters Packet FiltersPacket Filters Packet Filters and the NETServer Types of Filters Information Sources Input filters vs. Output filters Adding Packet Filters Input filters vs. Output filters Filter Rule Format Rule TypeName Rule Number Permit or DenyOptions TCP/IP packet filtering Destination Address TCP and UDP parameters TCP UDP Standard Port Numbers FTP Packet Filtering Filtering RIP messages Client opens a control channel FTP Example Type Description Filtering Icmp packets IPX Rules IPX packet filtering Dsthost SAP Rule Options Edit a Packet Filter Editing Packet FiltersDelete a Packet Filter Rule Delete a Packet Filter View the Packet Filter Table View a Packet Filter Configuring the !root account Chapter Administrative ToolsChanging the command prompt Root Access Telnet Access Port Manually Connecting to a Remote Site Dial CommandNslogin, Rlogin and Telnet Commands Viewing Debug messages Troubleshooting Commands Turn off the output console by typing the following Ifconfig MTU Ping Ptrace Version Traceroute Show Show command Show flash Show arp Show netconns Show memory Show netstat Show sessions Show sap Administrative Tools Chapter Command Reference Global ConfigurationCommand Reference View the Global Configuration Table Get helpSave Changes Global user parameters Default HostAssigned Address Connect Message Randomize Hosts Global routing parameters Default Gateways IP Address Spoofing Default Route PAP Authentication NetBIOS Packet PropagationProxy ARP System Name Name Service ServiceServer name Domain name DNS Cache Reset Time-out Primary Radius Server Radius securityAlternate Radius Server Radius Secret Syslog Accounting Radius Accounting Icmp Logging Add a Host Hosts TableDelete a Host View the Hosts Table Location Table Bring Up the List of CommandsAdd a Location to the Location Table Change a Location’s Parameters Save Location Table Changes View the Location TableView a Particular Location Connection Type Location Table Parameters IP Address NetmaskIPX Network Protocol RoutingCompression Maximum Ports Dial Group High Water Mark Idle Time-out PPP Async Map MTU Output Filter Input FilterDial Script Send Reply Reset the Network Interface Card LAN Port Net0 Configuration View LAN Port Configuration LAN Port ParametersEthernet Status Interface Address Configured Ethernet Media Broadcast Address IPX Frame Type Set net0 ifilter filter name Add a netmask Netmask TableDelete a netmask View the netmask table Change a Port’s Parameters Save Port Configuration View the Ports Table To view all of the S-ports, use the following command Idle Port is idle View an Individual Port User Login Determining a Port’s TypeHost Device Device Service Network Login Message Dial In Port ParametersLine Hangup Security Pass-Thru Login Login Prompt User Login Port Parameters Dialback DelayAutolog Name Host Login Service Terminal Type IPX Network Number Hardwired Port Parameters Set s0 netmask netmask NETServer sends RIP information across Port Speed Serial Communications ParametersDatabits Stopbits Flow Control ParityHost Override Modem Control Routes Table Configuration Add a Route to the Routes TableChange a Route’s Information Delete a Routes Table Entry Save Routes Table ChangesView the IP Routes Table Flag Parameter Viewing the IPX Routes Table IP Parameters IPX Parameters Delete Snmp Hosts Snmp TableSave the Snmp Table Changes Enabling/Disabling Snmp View Snmp Table Snmp Table ParametersRead Community Name Write Community Name Write Hosts Read Hosts Add a User to the User Table User Table Delete a User Change a User’s ParametersSave User Table Changes View the User Table Login User Parameters Access FilterDialback Number Set user name service rlogin telnet netdata portmux Command Reference Dialback Network User Parameters IPX connections require the PPP protocol NETServer sends RIP information to the dial Set user filter name ofilter filter name Command Reference 16 port NETServer Hardware Appendix a Technical Specifications Maximum Output Power Power RequirementsMaximum Input Power Typical Input Power External Serial Port Console Technical Specifications A-3 10Base-T Ethernet Network Interface Card Technical Specifications A-5 Signal10Base-2 BNC Isolated GND Technical Specifications Token Ring⎯STP Connector Technical Specifications A-7Token Ring Network Interface Card Token Ring⎯UTP Connector Administration NETServer Firmware SpecificationsTechnical Specifications A-9 Routing Support PPP Specific Features Industry Standards SupportClient Dial-up Support Slip and PPP Client Software Support Technical Specifications A-11 Technical Specifications IPX Addressing Basics Appendix B Addressing SchemesIP Addressing Basics Addressing Schemes B-1 Address Classes SubnettingAddressing Schemes Addressing Schemes B-3 Mask Binary Subnets Hosts Reserved Addresses Addressing Schemes B-5 Supernetting Advanced TCP/IP Cidr Each Supernet is treated as a single entity Addressing Schemes B-7 Step two Select a range of addresses for each supernet Addressing Schemes B-9 Supernetting and the NETServer Why Perform an SDL Software Download? SDL Using a Direct Connection to a PCAppendix C Software Download Software Download C-1 Software Installation Make Backup Copies of the NETServer FirmwareLoading the Software Download SDL Program Starting SDL Software Download C-3 SDL Command Syntax Filename Prefixes Optional -d Parameter Software Download C-5 Entering SDL Mode Upgrading NETServer Firmware From the Windows Management Software Software Download C-7 Upgrading the Modem Firmware For the Isdn NETServer, the file names are Software Download C-9 Error Messages PC SDL program detected unknown command line argu- ments Software Download C-11 Invalid Control Word Software Download C-13 File you are trying to download is not a NETServer file Boot Process D-1 Appendix D Boot Process Boot Process Using Syslog Appendix E Syslog AccountingSyslog Accounting E-1 Spotting Unused Ports Syslog System MessagesSyslog System Message Format Syslog Accounting Syslog Accounting E-3 Syslog System Message Examples Someone has logged in as !root on port S16 Syslog Accounting E-5 Syslog Accounting Obtaining Radius Appendix F Security a Centrally Managed User Table Authentication Items Setting Up Radius User Table Entries Response Items Radius F-5 Framed-Netmask Radius F-7 User Types Radius F-9 Making NETServer talk to a Radius security server Chap authentication using Radius Radius Accounting Acct-Delay-TimeRadius accounting fields Acct-Status-Type Accounting Examples Acct-AuthenticAcct-Session-Time Radius Index Alphabetical Index Index Icmp MTU NIC PPP SAP Slip Index Index