Nortel Networks WEB OS 212777 User Manual
Page 350
Web OS 10.0 Application Guide
350
n
Chapter 13: Firewall Load Balancing
212777-A, February 2002
You could add the filters required for the DMZ (to each Web switch) as follows:
1.
On the dirty-side Web switch, create the filter to allow HTTP traffic to reach the DMZ
Web servers.
In this example, the DMZ Web servers use IP addresses 205.178.29.0/24.
2.
Create another filter to deny all other traffic to the DMZ Web servers.
N
OTE
–
The deny filter has a higher filter number than the allow filter. This is necessary so
that the allow filter has the higher order of precedence.
3.
Add the filters to the traffic ingress ports.
4.
Apply and save the configuration changes.
>> # /cfg/slb/filt 80
(Select filter 80)
>> Filter 80# sip any
(From any source IP address)
>> Filter 80# dip 205.178.29.0
(To the DMZ base destination)
>> Filter 80# dmask 255.255.255.0
(For the range of DMZ addresses)
>> Filter 80# proto tcp
(For TCP protocol traffic)
>> Filter 80# sport any
(From any source port)
>> Filter 80# dport http
(To an HTTP destination port)
>> Filter 80# action allow
(Allow the traffic)
>> Filter 80# ena
(Enable the filter)
>> Filter 80# ../filt 89
(Select filter 89)
>> Filter 89# sip any
(From any source IP address)
>> Filter 89# dip 205.178.29.0
(To the DMZ base destination)
>> Filter 89# dmask 255.255.255.0
(For the range of DMZ addresses)
>> Filter 89# proto any
(For TCP protocol traffic)
>> Filter 89# action deny
(Allow the traffic)
>> Filter 89# ena
(Enable the filter)
>> Filter 89# ../port 1
(Select the ingress port)
>> SLB Port 1# add 80
(Add the allow filter)
>> SLB Port 1# add 89
(Add the deny filter)
>> SLB Port 1# apply
>> SLB Port 1# save