beautypg.com

Netopia D3232 IDSL User Manual

Page 89

background image

Security 8-89

The following example fur ther illustrates filter rule chaining, different sized masks and the full 8 bytes of the
Value field.

Create a filter set designed to block telnet access from a given external node (the example below uses
176.163.52.18) to a given internal node (176.163.107.254).

The filter rule summar y (input) should look like this:

Filter #1 checks that the IHL has a size of 5. This is a useful security check to verify a potential hacker has
not padded the packet with options that would then throw off following filter rule checks on bytes fur ther
into the packet.

Filter #2 checks the incoming packet is IP.

Filter #3 checks that the packet is using TCP.

Filter #4 simultaneously checks the source IP address is 176.163.52.18 (= B0A33412 in hex) and the
destination IP address is 176.163.107.254 (= B0A3B0FE in hex).

Filter #5 checks the TCP por t address is telnet (= 23 decimal = 17 hex).

Note: This filter set is presented only to illustrate how Generic filtering works. You are strongly advised to
actually use IP filters to block IP only traffic.

+-#----Value-------------Mask--------------Offst-Compare--Chain---On?-Fwd-+
+-------------------------------------------------------------------------+
| 1 0500000000000000 0F00000000000000 14 = No Yes No |
| 2 0800000000000000 FFFF000000000000 12 = Yes Yes |
| 3 0600000000000000 FF00000000000000 23 = Yes Yes |
| 4 B0A33412B0A3B0FE FFFFFFFFFFFFFFFF 26 = Yes Yes |
| 5 0017000000000000 FFFF000000000000 36 = No Yes No |
| |

This manual is related to the following products: