Netopia D3100-I IDSL Network Router User Manual


 
8-66 User’s Reference Guide
HH
HH
oo
oo
ww
ww
ii
ii
nn
nn
dd
dd
ii
ii
vv
vv
ii
ii
dd
dd
uu
uu
aa
aa
ll
ll
ff
ff
ii
ii
ll
ll
tt
tt
ee
ee
rr
rr
ss
ss
ww
ww
oo
oo
rr
rr
kk
kk
As described above, a filter applies criteria to an IP packet and then takes one of three actions:
AA
AA
ff
ff
ii
ii
ll
ll
tt
tt
ee
ee
rr
rr
’’
ss
ss
aa
aa
cc
cc
tt
tt
ii
ii
oo
oo
nn
nn
ss
ss
Passes the packet to the local or remote network
Blocks (discards) the packet
Ignores the packet
A filter passes or blocks a packet only if it finds a match after applying its criteria. When no match occurs, the
filter ignores the packet.
AA
AA
ff
ff
ii
ii
ll
ll
tt
tt
ee
ee
rr
rr
ii
ii
nn
nn
gg
gg
rr
rr
uu
uu
ll
ll
ee
ee
The criteria are based on information contained in the packets. A filter is simply a rule that prescribes certain
actions based on certain conditions. For example, the following rule qualifies as a filter:
Block all Telnet attempts that originate from the remote host 199.211.211.17.
This rule applies to Telnet packets that come from a host with the IP address 199.211.211.17. If a match
occurs, the packet is blocked.
Here is what this rule looks like when implemented as a filter on the Netopia D-Series:
To understand this particular filter, look at the parts of an IP filter.
PP
PP
aa
aa
rr
rr
tt
tt
ss
ss
oo
oo
ff
ff
aa
aa
nn
nn
II
II
PP
PP
ff
ff
ii
ii
ll
ll
tt
tt
ee
ee
rr
rr
There are two types if filters and filter sets: IP filters and Generic filters. The following discussion applies only to
IP filters and filter sets.
An IP filter consists of criteria based on packet attributes. A typical IP filter can match a packet on any one of
the following attributes:
The source IP address (where the packet was sent from)
The destination IP address (where the packet is going)
The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP
PP
PP
oo
oo
rr
rr
tt
tt
nn
nn
uu
uu
mm
mm
bb
bb
ee
ee
rr
rr
ss
ss
An IP filter can also match a packet’s port number attributes. The filter can be configured to match the
following:
The source port number (the port on the sending host that originated the packet)
The destination port number (the port on the receiving host that the packet is destined for)
+-#--Source IP Addr--Dest IP Addr-----Proto-Src.Port-D.Port--On?-Fwd-+
+--------------------------------------------------------------------+
| 1 199.211.211.17 0.0.0.0 TCP 23 Yes No |
+--------------------------------------------------------------------+