Netopia D7100 SDSL Benutzerhandbuch
Security 8-89
The following example fur ther illustrates filter rule chaining, different sized masks and the full 8 bytes of the
Value field.
Value field.
Create a filter set designed to block telnet access from a given external node (the example below uses
176.163.52.18) to a given internal node (176.163.107.254).
176.163.52.18) to a given internal node (176.163.107.254).
The filter rule summar y (input) should look like this:
■
Filter #1 checks that the IHL has a size of 5. This is a useful security check to verify a potential hacker has
not padded the packet with options that would then throw off following filter rule checks on bytes fur ther
into the packet.
not padded the packet with options that would then throw off following filter rule checks on bytes fur ther
into the packet.
■
Filter #2 checks the incoming packet is IP.
■
Filter #3 checks that the packet is using TCP.
■
Filter #4 simultaneously checks the source IP address is 176.163.52.18 (= B0A33412 in hex) and the
destination IP address is 176.163.107.254 (= B0A3B0FE in hex).
destination IP address is 176.163.107.254 (= B0A3B0FE in hex).
■
Filter #5 checks the TCP por t address is telnet (= 23 decimal = 17 hex).
Note: This filter set is presented only to illustrate how Generic filtering works. You are strongly advised to
actually use IP filters to block IP only traffic.
actually use IP filters to block IP only traffic.
+-#----Value-------------Mask--------------Offst-Compare--Chain---On?-Fwd-+
+-------------------------------------------------------------------------+
| 1 0500000000000000 0F00000000000000 14 = No Yes No |
| 2 0800000000000000 FFFF000000000000 12 = Yes Yes |
| 3 0600000000000000 FF00000000000000 23 = Yes Yes |
| 4 B0A33412B0A3B0FE FFFFFFFFFFFFFFFF 26 = Yes Yes |
| 5 0017000000000000 FFFF000000000000 36 = No Yes No |
| |
+-------------------------------------------------------------------------+
| 1 0500000000000000 0F00000000000000 14 = No Yes No |
| 2 0800000000000000 FFFF000000000000 12 = Yes Yes |
| 3 0600000000000000 FF00000000000000 23 = Yes Yes |
| 4 B0A33412B0A3B0FE FFFFFFFFFFFFFFFF 26 = Yes Yes |
| 5 0017000000000000 FFFF000000000000 36 = No Yes No |
| |