Nortel Networks WEB OS 212777 User Manual

Web OS 10.0 Application Guide

198

n

Chapter 7: Filtering

212777-A, February 2002

In this network, the Web servers inside the LAN must be able to transfer mail to any SMTP-
based mail server out on the Internet. At the same time, you want to prevent access to the LAN
from the Internet, except for HTTP.

SMTP traffic uses well-known TCP Port 25. The Web servers will originate TCP sessions to
the SMTP server using TCP destination Port 25, and the SMTP server will acknowledge each
TCP session and data transfer using TCP source Port 25.

Creating a filter with the ACK flag closes one potential security hole. Without the filter, the
switch would permit a TCP SYN connection request to reach any listening TCP destination
port on the Web servers inside the LAN, as long as it originated from TCP source Port 25. The
server would listen to the TCP SYN, allocate buffer space for the connection, and reply to the
connect request. In some SYN attack scenarios, this could cause the server’s buffer space to
fill, crashing the server or at least making it unavailable.

A filter with the ACK flag enabled prevents external devices from beginning a TCP connection
(with a TCP SYN) from TCP source Port 25. The switch drops any frames that have the ACK
flag turned off.

The following filters are required:

1.

A filter that allows the Web servers to pass SMTP requests to the Internet.

>> # /cfg/slb/filt 10

(Select a filter for trusted SMTP requests)

>> Filter 10# sip 203.122.186.0

(From the Web servers’ source IP address)

>> Filter 10# smask 255.255.255.0

(For the entire subnet range)

>> Filter 10# sport any

(From any source port)

>> Filter 10# proto tcp

(For TCP traffic)

>> Filter 10# dip any

(To any destination IP address)

>> Filter 10# dport smtp

(To well-known destination SMTP port)

>> Filter 10# action allow

(Allow matching traffic to pass)

>> Filter 10# ena

(Enable the filter)