How individual filters work – Netopia D3232 IDSL User Manual
Page 66
8-66 User’s Reference Guide
H
H
H
Ho
o
o
ow
w
w
w iiiin
n
n
nd
d
d
diiiivvv
viiiid
d
d
du
u
u
uaa
a
allll ffffiiiillllttttee
e
errrrssss w
w
w
wo
o
o
orrrrkk
k
k
As described above, a filter applies criteria to an IP packet and then takes one of three actions:
A
A
A
A ffffiiiillllttttee
e
errrr’’’’ssss aa
a
accccttttiiiio
o
o
on
n
n
nssss
■
Passes the packet to the local or remote network
■
Blocks (discards) the packet
■
Ignores the packet
A filter passes or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the
filter ignores the packet.
A
A
A
A ffffiiiillllttttee
e
errrriiiin
n
n
ng
g
g
g rrrru
u
u
ullllee
e
e
The criteria are based on information contained in the packets. A filter is simply a rule that prescribes cer tain
actions based on cer tain conditions. For example, the following rule qualifies as a filter:
Block all Telnet attempts that originate from the remote host 199.211.211.17.
This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match
occurs, the packet is blocked.
Here is what this rule looks like when implemented as a filter on the Netopia D-Series:
To understand this par ticular filter, look at the par ts of an IP filter.
P
P
P
Paa
a
arrrrttttssss o
o
o
offff aa
a
an
n
n
n IIIIP
P
P
P ffffiiiillllttttee
e
errrr
There are two types if filters and filter sets: IP filters and Generic filters. The following discussion applies only to
IP filters and filter sets.
An IP filter consists of criteria based on packet attributes. A typical IP filter can match a packet on any one of
the following attributes:
■
The source IP address (where the packet was sent from)
■
The destination IP address (where the packet is going)
■
The type of higher-layer Internet protocol the packet is carr ying, such as TCP or UDP
P
P
P
Po
o
o
orrrrtttt n
n
n
nu
u
u
um
m
m
mb
b
b
bee
e
errrrssss
An IP filter can also match a packet’s por t number attributes. The filter can be configured to match the
following:
■
The source por t number (the por t on the sending host that originated the packet)
■
The destination por t number (the por t on the receiving host that the packet is destined for)
+-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+
+--------------------------------------------------------------------+
| 1 199.211.211.17 0.0.0.0 TCP 23 Yes No |
+--------------------------------------------------------------------+