Eicon Networks 1550 User Manual
Page 69
Security
69
However, the moment you create one filter, a new default is used that drops all traffic,
as shown below.
This situation will usually require that you create at least one filter before the last filter.
The new filter would forward legitimate traffic; all other traffic would be dropped by the
last filter.
For example, if you wanted to bar all incoming and outgoing web traffic, but allow all
other traffic, the filter stack would resemble the following:
1.
Drop all packets from anywhere using the web protocol.
2.
Forward all packets from anywhere using any protocol.
3.
Drop all packets using any protocol (default last filter).
When a packet goes through the filter stack, the Eicon 1550/1551 would first check if
the packet is using the web protocol. If so, the packet is dropped. If not, the next filter is
applied, which essentially forwards anything. The third filter is never reached, because
the second filter catches all other traffic.
This type of filter stack is called an ‘anything but’ stack, as it lets all traffic through with
specific exceptions. The opposite of this is a ‘nothing but’ stack, which allows packets
from specific networks or protocols, but drops everything else. This type of stack is
much more restrictive, and in this case, the second filter (‘Forward all packets...’) is not
necessary.
Example: Dropping incoming traffic from a specific network
and
Allowing incoming traffic only from a specific network
on page 70 for more
examples.
Example: Dropping incoming traffic from a specific network
This example defines a filter to make sure that no traffic is accepted from a specific
network. Assume the network has the IP address 213.112.12.0.
New default
filter