Netopia D7100 SDSL Benutzerhandbuch

The following example fur ther illustrates filter rule chaining, different sized masks and the full 8 bytes of the 
Value field.

Create a filter set designed to block telnet access from a given external node (the example below uses 
176.163.52.18) to a given internal node (176.163.107.254). 

The filter rule summar y (input) should look like this:

■

Filter #1 checks that the IHL has a size of 5. This is a useful security check to verify a potential hacker has 
not padded the packet with options that would then throw off following filter rule checks on bytes fur ther 
into the packet.

■

Filter #2 checks the incoming packet is IP.

■

Filter #3 checks that the packet is using TCP.

■

Filter #4 simultaneously checks the source IP address is 176.163.52.18 (= B0A33412 in hex) and the 
destination IP address is 176.163.107.254 (= B0A3B0FE in hex).

■

Filter #5 checks the TCP por t address is telnet (= 23 decimal = 17 hex).

Note: This filter set is presented only to illustrate how Generic filtering works. You are strongly advised to 
actually use IP filters to block IP only traffic.

   +-#----Value-------------Mask--------------Offst-Compare--Chain---On?-Fwd-+
   +-------------------------------------------------------------------------+
   | 1    0500000000000000  0F00000000000000  14    =        No      Yes No  |
   | 2    0800000000000000  FFFF000000000000  12    =        Yes     Yes     |
   | 3    0600000000000000  FF00000000000000  23    =        Yes     Yes     |
   | 4    B0A33412B0A3B0FE  FFFFFFFFFFFFFFFF  26    =        Yes     Yes     |
   | 5    0017000000000000  FFFF000000000000  36    =        No      Yes No  |
   |                                                                         |