Netopia R5300 Network Router User Manual


 
Security 13-33
and a packet goes through these rules destined for FTP, the packet would forward through the first rule (WWW),
go through the second rule (FTP), and match this rule; the packet is allowed through.
If you had this filter set for example....
Allow WWW access;
Allow FTP access;
Deny FTP access;
Deny all other packets.
and a packet goes through these rules destined for FTP, the packet would forward through the first filter rule
(WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all
FTP traffic, the FTP packet will never make it to this rule.
BB
BB
ii
ii
nn
nn
aa
aa
rr
rr
yy
yy
rr
rr
ee
ee
pp
pp
rr
rr
ee
ee
ss
ss
ee
ee
nn
nn
tt
tt
aa
aa
tt
tt
ii
ii
oo
oo
nn
nn
It is easiest when doing filtering to convert the IP address and mask in question to binary. This will allow you to
perform the logical AND to determine whether a packet matches a filter rule.
LL
LL
oo
oo
gg
gg
ii
ii
cc
cc
aa
aa
ll
ll
AA
AA
NN
NN
DD
DD
ff
ff
uu
uu
nn
nn
cc
cc
tt
tt
ii
ii
oo
oo
nn
nn
When a packet is compared (in most cases) a logical AND function is performed. First the IP addresses and
subnet masks are converted to binary and then combined with AND. The rules for the logical use of AND are as
follows:
0 AND 0 = 0
0 AND 1 = 0
1 AND 0 = 0
1 AND 1 = 1
For example:
Filter rule:
Deny
IP: 163.176.1.15BINARY: 10100011.10110000.00000001.00001111
Mask: 255.255.255.255BINARY:11111111.11111111.11111111.11111111
Incoming Packet:
IP 163.176.1.15BINARY: 10100011.10110000.00000001.00001111
If you put the incoming packet and subnet mask together with AND, the result is:
10100011.10110000.00000001.00001111
which matches the IP address in the filter rule and the packet is denied.