Support User Manuals

Lucent Technologies 6000 Network Router User Manual

Open as PDF

of 586

Defining Static Filters

Defining IP filters

MAX 6000/3000 Network Configuration Guide 15-15

Examples of an IP filter to prevent local address spoofing

IP address spoofing typically occurs when a remote device illegally acquires a local address

and uses it to try to break through a data filter. This section presents an example of a data filter

that prevents IP address spoofing.

The sample filter first defines two input filters that drop packets whose source address is on the

local IP network or is the loopback address (127.0.0.0). With these specifications, the MAX

drops an inbound packet with one these source addresses. The third input filter accepts all

remaining source addresses (by specifying a source address of 0.0.0.0) and forwards them to

the local network.

In this example, the uses local IP network has an IP address of 10.100.50.128, with a subnet

mask of 255.255.255.192. These values are just arbitrary examples.

Note: If you apply this filter to the Ethernet interface, the MAX unit drops IP packets it

receives from the local LAN, and you will not be able to Telnet to the unit.

Configure the first input filter, and select IP filter. The first filter specifies the source mask and

address for the local network. If an incoming packet has the local address, the MAX unit drops

it instead of forwarding it to the Ethernet, because Forward is set to No (the default).

Input Filters

In Filter 01

Valid=Yes

Type=IP

IP...

Src Mask=0.0.0.0

Src Adrs=0.0.0.0

Configure the second input filter, select IP filter. The second filter specifies the loopback

source address. If an incoming packet has the loopback address, the MAX unit drops it instead

of forwarding it to the Ethernet, because Forward is set to No.

Input Filters...

In Filter=02

Valid=Yes

Type=IP

IP....

Forward=No

Src Mask=255.0.0.0

Src Adrs=127.0.0.0

Configure the third input filter, setting Type to IP filter and setting Forward to Yes. Except for

Forward=Yes, the third filter uses all default values. Because Forward is set to Yes, the MAX

unit forwards all remaining packets (those with nonlocal source addresses) to the Ethernet.

Input filters...

In filter=03

Type=IP

Valid=Yes

IP....

Forward=Yes

previous next