Lucent Technologies 6000 User Manual

Page 551

background image

Defining Static Filters

Defining IP filters

MAX 6000/3000 Network Configuration Guide

15-15

Examples of an IP filter to prevent local address spoofing

IP address spoofing typically occurs when a remote device illegally acquires a local address
and uses it to try to break through a data filter. This section presents an example of a data filter
that prevents IP address spoofing.

The sample filter first defines two input filters that drop packets whose source address is on the
local IP network or is the loopback address (127.0.0.0). With these specifications, the MAX
drops an inbound packet with one these source addresses. The third input filter accepts all
remaining source addresses (by specifying a source address of 0.0.0.0) and forwards them to
the local network.

In this example, the uses local IP network has an IP address of 10.100.50.128, with a subnet
mask of 255.255.255.192. These values are just arbitrary examples.

Note:

If you apply this filter to the Ethernet interface, the MAX unit drops IP packets it

receives from the local LAN, and you will not be able to Telnet to the unit.

Configure the first input filter, and select IP filter. The first filter specifies the source mask and
address for the local network. If an incoming packet has the local address, the MAX unit drops
it instead of forwarding it to the Ethernet, because Forward is set to No (the default).

Input Filters

In Filter 01

Valid=Yes

Type=IP

IP...

Src Mask=0.0.0.0

Src Adrs=0.0.0.0

Configure the second input filter, select IP filter. The second filter specifies the loopback
source address. If an incoming packet has the loopback address, the MAX unit drops it instead
of forwarding it to the Ethernet, because Forward is set to No.

Input Filters...

In Filter=02

Valid=Yes

Type=IP

IP....

Forward=No

Src Mask=255.0.0.0

Src Adrs=127.0.0.0

Configure the third input filter, setting Type to IP filter and setting Forward to Yes. Except for
Forward=Yes, the third filter uses all default values. Because Forward is set to Yes, the MAX
unit forwards all remaining packets (those with nonlocal source addresses) to the Ethernet.

Input filters...

In filter=03

Type=IP

Valid=Yes

IP....

Forward=Yes

This manual is related to the following products:
See also other documents in the category Lucent Technologies Hardware: