Examples – Avaya 38DHB0002UKDD User Manual

The Configuration Tree Functions

Firewall Configuration - Page 61

Match Data: The required resultant value of the Match Mask calculation

below. Note that the system pads the field with zeroes.

Match Mask: This is a byte pattern that is logically ANDed with the data filtered
from the packet. The result is compared against the contents of the Match Data
field.

Direction: This is the direction in which a session may be started if the filter finds
a match:
– Drop

- no session permitted

– In

- allow new sessions to be started from outside the local subnet only

– Out

- allow sessions to be started only from the local subnet

– Bothway - allow sessions either way.
Note that the Monitor program can be used to identify which packets are being
blocked by the Firewall.

Examples

Note: All TCP/UDP applications are assigned an individual “port” number, used

to identify the type of service one system is requesting from another. The
Internet Assigned Numbers Authority publishes a list of these.

1. To access a web page that uses TCP Port 8000 instead of the more usual

Port 80, use the following:
– IP Protocol = 6 (TCP)
– Match Offset = 22
– Match Length = 2
– Match Data = 1F40 (8000 in hex)
– Match Mask = FFFF (FFFF.AND.filtered data = 1F40)
– Direction = Out
– Notes = Port 8000 Out

2. To allow all ports out (this also solves the problem in Example 1 but risks the

making of unintentional data calls):
– IP Protocol = 6 (TCP)
– Match Offset = 0
– Match Length = 0
– Match Data = 0
– Match Mask = 0
– Direction = Out
– Notes = All TCP Ports Out

3. To avoid Windows95 calling your ISP’s DNS to resolve local names:

– IP Protocol = 17 (UDP)
– Match Offset = 20
– Match Length = 4
– Match Data = 00890035
– Match Mask = FFFFFFFF
– Direction = Drop
– Notes = Drop NetBIOS to DNS

INDeX IPNC Cassette Administration Manual

The Configuration Tree Functions - Page 61

38DHB0002UKDD – Issue 7 (22/11/02) Firewall

Configuration