Rule to allow authentication queries, Rule to allow networks full access, Restrictive internet filter – Lucent Technologies PortMaster User Manual

Configuring Filters

9-13

Example Filters

Rule to Allow Authentication Queries

To allow authentication queries used by some mailers and FTP servers, add the following
rule to your input filter:

Command> set filter filtername RuleNumber permit tcp dst eq 113

For more information about these types of queries, refer to RFC 1413.

Rule to Allow Networks Full Access

To allow some other network to have complete access to your network, add the
following rule. In the example below, 172.16.12.0 is granted full access to
192.168.1.0/24:

Command> set filter filtername RuleNumber permit 172.16.12.0/24 192.168.1.0/24

Caution – Beware of associative trust. If you allow a network complete access to your
network, you might unknowingly allow other networks complete access, as well. Any
network that can access a network having complete access privileges to your network,
also has access to your network. For example, if Network 1 trusts Network 2 and
Network 2 trusts Network 3, then Network 1 trusts Network 3.

Restrictive Internet Filter

This example filter allows any kind of outgoing connection from the server, but blocks
all incoming traffic to any host but your designated Internet server. This filter also limits
incoming traffic on your Internet server to: SMTP, Network News Transfer Protocol
(NNTP), DNS, FTP, and ICMP services.

Note – Even if you have the latest versions of the daemons ftpd, httpd, and sendmail
you may be vulnerable to attacks through these services. Check the latest CERT
Coordination Center advisories, available on ftp.cert.org, for the vulnerabilities of these
services.

!

✍