Filter
Top Products
6-32 CHAPTER 6: MANUAL SETUP
IP:
1 ACCEPT src-addr = 192.77.200.203/16;
999 DENY;
The following rule example rejects IP packets with a source address: 144.133.20.1.
IP:
1 REJECT src-addr =144.133.20.1;
The following rule example allows forwarding of only IP packets with source
address 192.77.100.32 and destination address 201.128.11.34:
IP:
1 AND src-addr = 192.77.100.32;
2 ACCEPT dst-addr = 201.128.11.34;
999 DENY;
IP Source and Destination Port Filtering Using CLI
You can also filter against UDP and TCP ports. The following rule example rejects
IP packets with a TCP port number of 80.
IP:
1 REJECT tcp_dst_port = 80;
IP Protocol Filtering Using CLI
Filtering can be done on protocol as well. The protocols that can be filtered are
UDP, TCP and ICMP. The following rule example rejects TCP packets.
IP:
1 REJECT protocol = TCP;
IP RIP Packet Filtering Using CLI
Routing Information Protocol (RIP) packets are used to identify all attached
networks as well as the number of router hops required to reach them. The
responses are used to update a router's routing table
If the router is listening for, or broadcasting RIP messages, you should allow them
to pass in the appropriate direction(s). You define IP RIP filtering rules in the IP-RIP
protocol section of the filter file.
For example, if you want to filter all routes except the one specified by the IP
network address 195.12.254.45, you would create this rule:
IP-RIP:
1 ACCEPT network = 195.12.254.45;
999 DENY;
This filter only allows the route 195.12.254.45 into the route table. All other
routes are rejected.
Spurious RIP messages can disrupt your routing tables. If you are listening for RIP
messages on a given interface, you may wish to consider filtering out RIP updates
from untrusted networks.