Filter
Top Products
Providing Network Filtering
16-10 PortMaster Configuration Guide
Providing Network Filtering
Your connection to the Internet can be vulnerable to attack from other Internet users.
Therefore, Lucent recommends that you add an input filter to the location
isp1
for the
continuous dial-out connection. For a hardwired connection, you should attach an
input filter to the hardwired port.
Note – This section describes an example filter that might not protect your network
from all forms of attack. For more information about filters, refer to “Additional
References” in the preface and Chapter 9, “Configuring Filters.” Refer to the
ChoiceNet
Administrator’s Guide
and the
RADIUS Administrator’s Guide
for more information on
network security.
The filter named internet.in contains the following rules:
deny 192.168.200.0/24 0.0.0.0/0 log
permit tcp estab
permit 0.0.0.0/0 mail.edu.com/32 tcp dst eq 25
permit 0.0.0.0/0 ftp.edu.com/32 tcp dst eq 21
permit 0.0.0.0/0 www.edu.com/32 tcp dst eq 80
permit tcp src eq 20 dst gt 1023
permit udp dst eq 53
permit tcp dst eq 53
permit icmp
If you have not configured a name server for the PortMaster, use IP addresses instead of
hostnames when creating filters.
Table 16-6 provides a line by line description the filter.
Table 16-6
Description of Internet Filter
Rule Description
1. Denies any incoming packets claiming to be from your own network
(192.168.200.0). This rule blocks IP spoofing attacks and logs the
spoofing attempt.
2. Permits already established TCP connections.
3. Permits SMTP connections to the mail server mail.edu.com.
4. Permits FTP connections to the host ftp.edu.com.
5. Permits WWW HTTP connections to the Web server www.edu.com.
✍