Packet Filters 8-7
Rule Number
This is a number up to the highest previously set Rule # plus
one. For example, if a packet filter currently has four rules, the
new rule can be any number between 1 and 5. Note that if an
existing rule number is specified, it is replaced by the new rule.
If no parameters are specified for the rule, that rule is deleted.
Permit or Deny
This is a required parameter which indicates whether the
packets meeting the specified criteria should be forwarded
(permit) or discarded (deny).
If a packet does not match any of a filter’s rules, the NETServer
denies the packet. The NETServer takes this “if in doubt,
discard” approach to packet filtering because in many cases it’s
impossible to explicitly deny every possible intrusion into your
network. Even if you managed to create such a filter, it would
be out of date tomorrow. The accepted method of filter creation
is to:
1. Explicitly permit the services which are absolutely neces-
sary. Limit the permission in every way you can.
2. Allow everything else to be denied
3. See who yelps. Go to step 1
However, if you want to create a filter that permits everything
not specifically denied, add the following lines to the end of the
filter:
set filter <filter name> <rule #> permit
set ipxfilter <filter name> <rule#> permit
set sapfilter <filter name> <rule #> permit
Options
Available rule options differ depending on what kind of rule
you are defining. For details, see TCP/IP packet filtering and IPX
packet filtering, below.