Ip packet filter rule set examples – Compatible Systems 5.4 User Manual

Chapter 11 - TCP/IP Filtering

195

This rule would drop all packets with the source host address 192.15.1.10:

deny 192.15.1.10 0.0.0.0

A rule to drop all packets with a source network address of 192.15.1.0. All
packets from hosts on that network would be denied:

deny 192.15.1.0/24 0.0.0.0

IP Packet Filter Rule Set Examples

The rule set below allows only inbound and outbound mail from 192.15.14.1.

The input-filter:

permit 0.0.0.0 192.15.14.1 TCP src >= 1024 dst = 25

permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024

The output-filter:

permit 192.15.14.1 0.0.0.0 TCP src = 25 dst >= 1024

permit 192.15.14.1 0.0.0.0 TCP src >= 1024 dst = 25

These sets of rules are intended to filter out all traffic and only allow
incoming and outgoing mail to a server inside a net with an IP address of
192.15.14.1. However they aren’t enough to prevent access from someone
outside using source port 25. This is because a connection to destination ports
greater than 1024 can be initiated according to the second rule in the input
filter. To prevent this from happening, add the est keyword to the second rule
in the input filter:

permit 0.0.0.0 192.15.14.1 TCP src = 25 dst >= 1024 est

The est keyword in this rule tells the device to only accept TCP packets on
the input to this interface when the connection has already been established.
A TCP packet which is attempting to initiate a connection will have only the
“SYN” flag set. If someone tries to establish a connection from the outside
using source port 25, the rule won’t match (no permit will occur). The
connection can’t be established since the packet will be dropped by the
default rule.