Lucent Technologies 6000 User Manual
15-14
MAX 6000/3000 Network Configuration Guide
Defining Static Filters
Defining IP filters
Defining IP filters
Filtering by source or destination address
When you specify a source or destination address in an IP filter, the MAX unit applies the
filter’s forwarding action to packets received from or sent to that address. If you also specify a
subnet mask, the MAX unit applies the mask to the address value before comparing the
resulting value to the source or destination address in a packet.
filter’s forwarding action to packets received from or sent to that address. If you also specify a
subnet mask, the MAX unit applies the mask to the address value before comparing the
resulting value to the source or destination address in a packet.
To apply the mask, the MAX unit translates both the mask and address values into binary
format and then uses a logical AND to apply the mask to the address. The mask hides the bits
whose positions match those of the binary zeroes in the mask. A mask of all zeros (the default)
masks all bits. If the address value itself is also all zeros (the default), the filter matches any
source or destination address. A mask of all ones (255.255.255.255) masks no bits, so the full
source address for a single host is compared to the address value.
format and then uses a logical AND to apply the mask to the address. The mask hides the bits
whose positions match those of the binary zeroes in the mask. A mask of all zeros (the default)
masks all bits. If the address value itself is also all zeros (the default), the filter matches any
source or destination address. A mask of all ones (255.255.255.255) masks no bits, so the full
source address for a single host is compared to the address value.
You can use the address mask to mask out the host portion of an address, for example, or the
host and subnet portion, so the specification matches the address to or from any host on a given
network.
host and subnet portion, so the specification matches the address to or from any host on a given
network.
Filtering by port numbers
IP filters can specify a port number to be compared to the source or destination port (or both)
in a packet. A port number of zero matches nothing. TCP and UDP port numbers are typically
assigned to services. For a list of well-known port assignments, see RFC 1700, Assigned
Numbers.
in a packet. A port number of zero matches nothing. TCP and UDP port numbers are typically
assigned to services. For a list of well-known port assignments, see RFC 1700, Assigned
Numbers.
Note:
For security purposes, you should filter all services from outside your domain that are
not required. UDP-based services make you network particularly vulnerable to certain types of
security attacks.
security attacks.
The specified type of comparison determines when a match occurs. If no comparison operator
is specified in the filter, no comparison is made. You can specify that the filter matches the
packet if the packet’s port number is Less (<), Eql (=), Gtr (>), or Neq (!=) the port number
specified in the filter.
is specified in the filter, no comparison is made. You can specify that the filter matches the
packet if the packet’s port number is Less (<), Eql (=), Gtr (>), or Neq (!=) the port number
specified in the filter.
srcport
cmp value
If the
srcport
keyword is followed by a comparison symbol and
a number, the number is compared to the source port of a packet.
The comparison symbol can be < (less-than), = (equal), >
(greater-than), or ! = (not-equal). The port value can be one of the
following names or numbers: ftp-data (20), ftp (21), telnet (23),
smtp (25), nameserver (42), domain (53), tftp (69), gopher (70),
finger (79), www (80), kerberos (88), hostname (101), nntp (119),
ntp (123), exec (512), login (513), cmd (514), or talk (517). For
more details, see “Filtering by port numbers” on page 15-14.
The comparison symbol can be < (less-than), = (equal), >
(greater-than), or ! = (not-equal). The port value can be one of the
following names or numbers: ftp-data (20), ftp (21), telnet (23),
smtp (25), nameserver (42), domain (53), tftp (69), gopher (70),
finger (79), www (80), kerberos (88), hostname (101), nntp (119),
ntp (123), exec (512), login (513), cmd (514), or talk (517). For
more details, see “Filtering by port numbers” on page 15-14.
est
If the est flag is present, it restricts application of the filter to
packets in an established TCP session. The protocol number must
be set to 6 (TCP), or the flag is ignored.
packets in an established TCP session. The protocol number must
be set to 6 (TCP), or the flag is ignored.
Keyword or Argument
Value