Filter options – Lucent Technologies PortMaster User Manual

Overview of PortMaster Filtering

9-2

PortMaster Configuration Guide

You use Ethernet filters to constrain the types of packets allowed to pass through the
local Ethernet port, and you can set filters on asynchronous ports configured for
hardwired operation when security with another network is an issue.

The packet filtering process analyzes the header information contained in each packet
sent or received through a network interface. The header information is evaluated
against a set of rules that either allow the packet to pass through the interface or cause
the packet to be discarded.

A maximum of 256 filter rules per filter is allowed for the PortMaster 3 and IRX. For
other PortMaster products, the maximum number of filter rules allowed is 100. The
PortMaster generates an error message when the number of filter rules exceeds the
limit.

If a packet is discarded by a filter, an appropriate “ICMP unreachable” message is
returned to the source address. This message provides immediate feedback to the user
attempting the unauthorized access. Packets permitted or denied can optionally be
logged to a host.

Filters can also be used for packet selection—for example, you can use a packet trace
filter to do troubleshooting. The packets permitted by the ptrace filter are displayed,
while packets not permitted by the filter are not displayed. For more information about
the ptrace facility, see the PortMaster Troubleshooting Guide.

Filter Options

Table 9-1 shows different filter options.

Table 9-1

Filter Options

Option

Description

Restricting packet traffic

Each user, location entry, and network hardwired port
can be assigned both an input packet filter and an output
packet filter. Having both input and output filters can
decrease the number of rules needed and can provide
better tuning of your security policy.