Input filter for an internet connection, Input filter for an internet connection -10 – Lucent Technologies PortMaster User Manual

Example Filters

9-10

PortMaster Configuration Guide

Input Filter for an Internet Connection

The filter in this example is designed as an input filter for a network hardwired port that
connects to the Internet. You can use this filter for a dial-on-demand connection by
attaching it to the location entry.

The rules for the filter are set as follows:

Command> set filter internet.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter internet.in 2 permit tcp estab
Command> set filter internet.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.4/32 tcp dst eq 21
Command> set filter internet.in 5 permit tcp 0.0.0.0/0 192.168.0.5/32 dst eq 80
Command> set filter internet.in 6 permit tcp src eq 20 dst gt 1023
Command> set filter internet.in 7 permit udp dst eq 53
Command> set filter internet.in 8 permit tcp dst eq 53
Command> set filter internet.in 9 permit icmp

Table 9-3 describes, line by line, each rule in the filter.

Table 9-3

Description of Internet Filter

Rule

Description

1.

Denies any incoming packets from the Internet claiming to be from—
or spoofing—your own network (192.168.1.0). This rule blocks IP
spoofing attacks. This rule also logs the header information in the
spoofing packets to syslog.

2.

Permits already established TCP connections that originated from your
network—packets with the ACK bit set.

3.

Permits SMTP connections to 10.0.0.3 (the mail server).

4.

Permits FTP connections to host 172.16.0.4.

5.

Permits Hypertext Transfer Protocol (HTTP) access to host 192.168.0.5.

6.

Permits an FTP data channel.

7.

Permits DNS.

8.

Permits DNS zone transfers. (You can write this rule to allow only
connections to your name servers.)