Parts of a packet filter, Other filter attributes, Design guidelines – ARRIS 2247-N8-10NA (v9.1.x) User Manual User Manual
Page 90
Motorola 2247-N8 DSL Wi-Fi Gateway User Guide
Please visit
www.motorola.com/us/support
for FAQs and additional product documentation.
90
Parts of a packet filter
A packet filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the following attributes:
The source IP address (where the packet was sent from)
The destination IP address (where the packet is going)
The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP
The port number of the session source or destination
The packet’s incoming or outgoing 2247-N8 interface (WAN or LAN)
The source or destination MAC address
Any TCP packet flags (i.e. ACK, URG, etc)
The ICMP type value of an ICMP packet
Once a match attribute is selected, it cannot be added again to the same rule - filtering on variations of the same attribute (multiple destination
addresses, for example) requires the creation of multiple packet filter rules.
Other filter attributes
There are three other attributes to each filter:
The rule’s order (i.e., priority) in the packet filter
Whether the rule is currently active
Whether the rule is set to pass packets or to block (discard) packets.
Note:
“Pass” rules are especially useful when you have created a Public Subnet and Allow Inbound Traffic is disabled. You can selectively allow access
to particular servers, or particular services on those servers (by TCP/UDP port range).
Design guidelines
Careful thought must go into designing a new packet filter. You should consider the following guidelines:
Be sure the packet filter’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make
your network less secure.
Be sure each individual rule’s purpose is clear.
Determine how rule priority will affect the set’s actions. Test the set (on paper) by determining how the packet filters would respond to a
number of different hypothetical packets.