Compatible Systems 5.4 Manual De Usuario
Chapter 11 - TCP/IP Filtering
189
Rules that have been specified using CompatiView may be edited or exam-
ined through the command line interface, and vice-versa. When the rules are
downloaded into the device from CompatiView, they will be encrypted.
ined through the command line interface, and vice-versa. When the rules are
downloaded into the device from CompatiView, they will be encrypted.
Basic IP Packet Filter Rules and Syntax
At a minimum, every non-comment line in a filter set must include an action,
a source IP address, and a destination IP address. Together these components
specify the action to be taken when a packet meets the condition of the rule.
a source IP address, and a destination IP address. Together these components
specify the action to be taken when a packet meets the condition of the rule.
Every line in a packet filter set must begin with the actions permit or deny,
or the comment indicator #.
or the comment indicator #.
•
Lines which begin with permit specify that packets meeting the condi-
tions should be passed through the filter.
tions should be passed through the filter.
•
Lines which begin with deny specify that packets meeting the conditions
should be dropped by the filter.
should be dropped by the filter.
•
Lines which begin with # specify that the text on the line is a comment
and should be ignored.
and should be ignored.
Every line which begins with permit or deny must be followed by a source
and destination IP address. These IP addresses can be specified in a number
of different ways.
and destination IP address. These IP addresses can be specified in a number
of different ways.
•
Addresses can be specified in dotted-decimal notation. If the rightmost
components are 0, they are treated as wildcards. For example,
128.138.12.0 matches all hosts on the 128.138.12 subnet. An address
with all zeros (0.0.0.0) matches anything.
components are 0, they are treated as wildcards. For example,
128.138.12.0 matches all hosts on the 128.138.12 subnet. An address
with all zeros (0.0.0.0) matches anything.
•
A factorized format can also be used where a set of components are
substituted into an address. These addresses take the form of
#.#.#.{#,#,...}. For example, 192.12.9.{1,2,15} matches the hosts
192.12.9.1, 192.12.9.2, and 192.12.9.15. The factor set must be at the end
of the address, but addresses of the form #.{#,#,...}, #.#.{#,#,...}, etc., are
allowed. Any components past the factor set’s position are implicitly
assumed to be 0.
substituted into an address. These addresses take the form of
#.#.#.{#,#,...}. For example, 192.12.9.{1,2,15} matches the hosts
192.12.9.1, 192.12.9.2, and 192.12.9.15. The factor set must be at the end
of the address, but addresses of the form #.{#,#,...}, #.#.{#,#,...}, etc., are
allowed. Any components past the factor set’s position are implicitly
assumed to be 0.
v Note: When the factorized format is used, one line is substituted for many.
However, when the device reads the filters and installs them, it expands each
address into a separate rule. In the example given, three rules would be
created. This can make the number of rules to process greater, which can
affect performance.
However, when the device reads the filters and installs them, it expands each
address into a separate rule. In the example given, three rules would be
created. This can make the number of rules to process greater, which can
affect performance.
•
IP addresses may also be specified as a hexadecimal number (for
example, 0x82cc0801 matches the host address 130.204.8.1).
example, 0x82cc0801 matches the host address 130.204.8.1).
Any address may have an optional /bits field at its end. This denotes the
number of bits, starting with the most significant, that will be considered by
number of bits, starting with the most significant, that will be considered by