Filter organization – Lucent Technologies PortMaster User Manual

Configuring Filters

9-3

Overview of PortMaster Filtering

Filter Organization

Filters are stored in a filter table in the PortMaster nonvolatile configuration memory.
Filters can be created or modified at any time, and the changes are not applied to an
active use of the filter. Filter names must be between 1 and 15 characters.

Each packet filter can contain three sets of rules: IP, IPX, and SAP. Within each set, the
rules are numbered starting at one. Newly created packet filters contain zero rules, or an
empty set of rules.

An empty set of rules is equivalent to the permit rule. If a filter contains one or more
rules in the set, any packet not explicitly permitted by a rule is denied at the end of the
rule set.

Restricting access based
on source and
destination address

You can create filters that evaluate both the source and
destination addresses of a packet against a rule list. The
number of significant bits used in IP address comparisons
can be set, allowing filtering by host, subnet, network
number, or group of hosts whose addresses are within a
given bit-aligned boundary.

Restricting access to
particular protocols

Packets of certain protocols can be permitted or denied
by a filter, including IPX, SAP, TCP, UDP, and ICMP
packets.

Restricting access to
network services

You can create filters that use the source and destination
port numbers to control access to certain network
services. The evaluation can be based upon whether the
port number is less than, equal to, or greater than a
specified value.

Restricting access based
on TCP status

You can create filters that use the status of TCP
connections as part of the rule set. This feature can allow
network users to open connections to external networks
without allowing external users access to the local
network.

Table 9-1

Filter Options (Continued)

Option

Description