beautypg.com

Parts of a packet filter, Other filter attributes, Design guidelines – ARRIS 2247-N8-10NA (v9.1.x) User Manual User Manual

Page 90

background image

Motorola 2247-N8 DSL Wi-Fi Gateway User Guide

Please visit

www.motorola.com/us/support

for FAQs and additional product documentation.

90

Parts of a packet filter

A packet filter consists of criteria based on packet attributes. A typical filter can match a packet on any one of the following attributes:

™

The source IP address (where the packet was sent from)

™

The destination IP address (where the packet is going)

™

The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP

™

The port number of the session source or destination

™

The packet’s incoming or outgoing 2247-N8 interface (WAN or LAN)

™

The source or destination MAC address

™

Any TCP packet flags (i.e. ACK, URG, etc)

™

The ICMP type value of an ICMP packet

Once a match attribute is selected, it cannot be added again to the same rule - filtering on variations of the same attribute (multiple destination
addresses, for example) requires the creation of multiple packet filter rules.

Other filter attributes

There are three other attributes to each filter:

™

The rule’s order (i.e., priority) in the packet filter

™

Whether the rule is currently active

™

Whether the rule is set to pass packets or to block (discard) packets.

Note:

“Pass” rules are especially useful when you have created a Public Subnet and Allow Inbound Traffic is disabled. You can selectively allow access

to particular servers, or particular services on those servers (by TCP/UDP port range).

Design guidelines

Careful thought must go into designing a new packet filter. You should consider the following guidelines:

™

Be sure the packet filter’s overall purpose is clear from the beginning. A vague purpose can lead to a faulty set, and that can actually make
your network less secure.

™

Be sure each individual rule’s purpose is clear.

™

Determine how rule priority will affect the set’s actions. Test the set (on paper) by determining how the packet filters would respond to a
number of different hypothetical packets.