Netopia R310 사용자 설명서

Firewall design is a test of logic, and filter rule ordering is critical. If a packet is passed through a series of filter 
rules and then the packet matches a rule, the appropriate action is taken. The packet will not pass through the 
remainder of the filter rules.

For example, if you had the following filter set...

Allow WWW access;

Allow FTP access;

Allow SMTP access;

Deny all other packets.

and a packet goes through these rules destined for FTP, the packet would pass through the first rule (WWW), go 
through the second rule (FTP), matches this rule and the packet is allowed through.

If you had this filter set for example....

Allow WWW access;

Allow FTP access;

Deny FTP access;

Deny all other packets.

and a packet goes through these rules destined for FTP, the packet would pass through the first filter rule 
(WWW), match the second rule (FTP) and the packet is allowed through. Even though the next rule is to deny all 
FTP traffic, the FTP packet will never make it to this rule.

It is easiest when doing filtering to conver t the IP address and mask in question to binar y. This will allow you to 
per form the logical AND to determine if a packet matches a filter rule.

When a packet is compared (in most cases) a logical AND is per formed. First the IP addresses and subnet 
masks are conver ted to binar y and then ANDed together. The rules for logical ANDing are as follows:

0 AND 0 = 0

0 AND 1 = 0

1 AND 0 = 0

1 AND 1 = 1

For example:

Filter rule:

Deny

IP: 163.176.1.15

BINARY: 10100011.10110000.00000001.00001111

Mask: 255.255.255.255

BINARY: 11111111.11111111.11111111.11111111