Compatible Systems 5.4 Manuale Utente
194
Chapter 11 - TCP/IP Filtering
v Note: If VPN tunneling with authentication is enabled on an interface to
which an IP filter is applied, then the filter must specifically permit AH
packets.
which an IP filter is applied, then the filter must specifically permit AH
packets.
•
ESP
This modifier allows filtering on ESP (Encapsulating Security Payload)
packets. ESP is used for encryption of tunneled packets across the
Internet.
This modifier allows filtering on ESP (Encapsulating Security Payload)
packets. ESP is used for encryption of tunneled packets across the
Internet.
v Note: If VPN tunneling with encryption only (i.e. no authentication) is
enabled on an interface to which an IP filter is applied, then the filter must
specifically permit ESP packets.
enabled on an interface to which an IP filter is applied, then the filter must
specifically permit ESP packets.
•
OSPF
This modifier allows filtering on OSPF (Open Shortest Path First)
packets. OSPF IP packets carry OSPF routing data.
This modifier allows filtering on OSPF (Open Shortest Path First)
packets. OSPF IP packets carry OSPF routing data.
•
proto <operator> <protocol number>
This modifier allows general filtering of IP protocol numbers that don’t
have established keywords as specified above. The rule also allows an
expression to be specified which allows filtering on ranges of protocol
numbers (i.e. proto > 51).
This modifier allows general filtering of IP protocol numbers that don’t
have established keywords as specified above. The rule also allows an
expression to be specified which allows filtering on ranges of protocol
numbers (i.e. proto > 51).
IP Packet Filter Rule Notification
There are two notification actions which the device can take when a packet
matches a particular rule. By default, no logging or notification of matches is
performed.
matches a particular rule. By default, no logging or notification of matches is
performed.
•
log The log option causes the device to log data about the packet to
syslog when the condition of the rule is met. See the section on the
Logging Configuration Dialog Box of this manual for more information.
syslog when the condition of the rule is met. See the section on the
Logging Configuration Dialog Box of this manual for more information.
•
icmp The icmp option is valid only on a deny rule and directs the device
to return an ICMP notification to the source of the matching packet.
to return an ICMP notification to the source of the matching packet.
Simple IP Packet Filter Rule Examples
This rule allows TCP packets with a source port greater than or equal to 1024
and a destination port of 25 (SMTP mail):
and a destination port of 25 (SMTP mail):
permit 0.0.0.0 0.0.0.0 TCP src >= 1024 dst = 25
A rule to allow UDP packets with a source port greater than 910 and a desti-
nation port of 53 (Domain Name Service) would look like:
nation port of 53 (Domain Name Service) would look like:
permit 0.0.0.0 0.0.0.0 UDP src > 910 dst = 53
A rule to deny ICMP echo request (pings) would look like:
deny 0.0.0.0 0.0.0.0 ICMP type = 8