Lucent Technologies PortMaster User Manual
Page 156
Example Filters
9-14
PortMaster Configuration Guide
If you use the following example, replace the name server with the IP address or
hostname of your Internet server:
Command> set filter restrict.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter restrict.in 2 permit 0.0.0.0/0 10.0.0.3/32 tcp estab
Command> set filter restrict.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 21
Command> set filter restrict.in 4 permit 0.0.0.0/0 10.0.0.3/32 tcp src eq 20
dst gt 1023
Command> set filter restrict.in 5 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 119
Command> set filter restrict.in 6 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter restrict.in 7 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 80
Command> set filter restrict.in 8 permit 0.0.0.0/0 10.0.0.3/32 udp dst eq 53
Command> set filter restrict.in 9 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 53
Command> set filter restrict.in 10 permit 0.0.0.0/0 10.0.0.3/32 icmp
describes, line by line, each rule in the filter.
To log all packets that are denied, add the following rule to the end of your filter:
Command> set filter filtername RuleNumber deny log
Table 9-4
Description of Restrictive Internet Filter
Rule
Description
1.
Denies any incoming packets from your own network (192.168.1.0)
and makes a log.
2.
Permits packets from any established TCP connection to 10.0.0.3 (the
Internet server).
3.
Permits FTP from any IP address to 10.0.0.3 (the server).
4.
Permits the FTP data back channel.
5.
Permits incoming NNTP (news) to 10.0.0.3 (the Internet server).
6.
Permits incoming SMTP (mail) to 10.0.0.3 (the Internet server).
7.
Permits HTTP requests to 10.0.0.3 (the Internet server).
8.
Permits DNS queries to 10.0.0.3 (the Internet server).
9.
Permits DNS zone transfers from 10.0.0.3 (the Internet server).
10.
Permits ICMP to 10.0.0.3 (the Internet server). You can further limit
ICMP packet types to types 0, 3, 8, and 11 using four rules instead of
one.