Filtering ip traffic, 1 ip packet filter lists, 1 example1 – Black Box LR1102A-T1/E1 User Manual

3w

F

ILTERING

IP T

RAFFIC

3.1IP Packet Filter Lists

Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets
that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces:
Ethernet, serial, or WAN, as well as independently to interface direction: IN (packets coming in to the Black Box
system) or OUT (packets going out of the Black Box system).

IP packet filtering capability can be used to restrict access to the Black Box system from untrusted, external networks or
from specific, internal networks. An example would be a filter that prohibits external users from establishing Telnet
sessions to the Black Box system, and allows only specific internal users Telnet access to the system.

„

At the end of every rule list is an implied “deny all traffic” statement. Therefore, all packets not explicitly permitted
by filtering rules, are denied. This effectively means that once you enter a “deny” statement in your filter list, you
are implicitly denying all packets from crossing the interface. Therefore, it is important that each filter list contain at
least one “permit” statement.

„

The order in which you enter the filtering rules is important. As the Black Box system is evaluating each packet, the
Black Box OS tests the packet against each rule statement sequentially. After a match is found, no more rule
statements are checked. For example, if you create a rule statement that explicitly permits all traffic, all traffic is
passed since no further rules are checked.

„

The Black Box OS permits easy re-ordering of filter commands through filter_list insert and delete commands.

3.1.1 Example1

Consider a Black Box connected via a bundle “WAN1” (wan IP address 200.1.1.1) to an ISP, with Ethernet 0 (IP
address 222.199.19.3) connected to the internal network. The network administrator wants to completely block Telnet
access to the Black Box from all external networks as well as from all internal networks except 222.199.19.0/28. All
other TCP/IP traffic, such as FTP, Ping, and HTTP, is to flow unrestricted through the Black Box system.

3.1.1.1 Configure the Black Box LR1104A.
Blackbox> configure term

Blackbox/configure> ip

Blackbox/configure/ip> filter_list filtera (gives the list a name)

Blackbox/configure/ip/filter_list> add deny tcp any 200.1.1.1 dport =23

Blackbox/configure/ip/filter_list> add permit tcp 222.199.19.0/28 222.199.19.3 dport =23

Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.3 dport =23

Blackbox/configure/ip/filter_list> add permit ip any any

Blackbox/configure/ip/filter_list> exit