USRobotics NETServer/8 User Manual

8-12 Packet Filters

TCP

UDP

Description

518

518

ntalk (new terminal chat)

-

520

RIP

540

540

uucp (UNIX to UNIX copy)

540

540

uucp-rlogin

543

543

klogin (Kerberized login)

1642

-

PortMux daemon

-

1645

RADIUS security

-

1646

RADIUS accounting

Filtering RIP messages

If the NETServer is listening for or broadcasting RIP messages,
you should permit them (UDP dst eq 520) to pass in the appro-
priate direction(s).

Note that spurious RIP messages can disrupt your routing
tables. If you are listening for RIP messages on a given interface,
you may wish to consider filtering out RIP updates from
untrusted networks.

FTP Packet Filtering

FTP is one of the most difficult protocols to permit while still
protecting your network. The input and output filters must
permit two separate bi-directional connections, one initiated by
the client and one initiated by the host. However, they should
still be able to provide as much protection from outside attack-
ers as possible. To write such a filter, we’ll go through the FTP
process and write the appropriate lines as we go.

In the example below, we will permit all users on the local class
C network, 192.77.203.0 to initiate an FTP connection to any
other host on the Internet. However, incoming FTPs will be
denied.

Step 1 - Create two filters

Since we will be filtering both incoming and outgoing packets,
we must create two filters.

add filter ftp.in
add filter ftp.out