Providing network filtering, Providing network filtering -10 – Lucent Technologies PortMaster User Manual

Providing Network Filtering

16-10

PortMaster Configuration Guide

Providing Network Filtering

Your connection to the Internet can be vulnerable to attack from other Internet users.
Therefore, Lucent recommends that you add an input filter to the location isp1 for the
continuous dial-out connection. For a hardwired connection, you should attach an
input filter to the hardwired port.

Note – This section describes an example filter that might not protect your network
from all forms of attack. For more information about filters, refer to “Additional
References” in the preface and Chapter 9, “Configuring Filters.” Refer to the ChoiceNet
Administrator’s Guide and the RADIUS Administrator’s Guide for more information on
network security.

The filter named internet.in contains the following rules:

deny 192.168.200.0/24 0.0.0.0/0 log
permit tcp estab
permit 0.0.0.0/0 mail.edu.com/32 tcp dst eq 25
permit 0.0.0.0/0 ftp.edu.com/32 tcp dst eq 21
permit 0.0.0.0/0 www.edu.com/32 tcp dst eq 80
permit tcp src eq 20 dst gt 1023
permit udp dst eq 53
permit tcp dst eq 53
permit icmp

If you have not configured a name server for the PortMaster, use IP addresses instead of
hostnames when creating filters.

Table 16-6 provides a line by line description the filter.

Table 16-6

Description of Internet Filter

Rule

Description

1.

Denies any incoming packets claiming to be from your own network
(192.168.200.0). This rule blocks IP spoofing attacks and logs the
spoofing attempt.

2.

Permits already established TCP connections.

3.

Permits SMTP connections to the mail server mail.edu.com.

4.

Permits FTP connections to the host ftp.edu.com.

5.

Permits WWW HTTP connections to the Web server www.edu.com.

✍