Lucent Technologies PortMaster Manual Do Utilizador
Configuring Filters
9-13
Example Filters
Rule to Allow Authentication Queries
To allow authentication queries used by some mailers and FTP servers, add the following
rule to your input filter:
rule to your input filter:
Command> set filter filtername RuleNumber permit tcp dst eq 113
For more information about these types of queries, refer to RFC 1413.
Rule to Allow Networks Full Access
To allow some other network to have complete access to your network, add the
following rule. In the example below, 172.16.12.0 is granted full access to
192.168.1.0/24:
following rule. In the example below, 172.16.12.0 is granted full access to
192.168.1.0/24:
Command> set filter filtername RuleNumber permit 172.16.12.0/24 192.168.1.0/24
Caution – Beware of associative trust. If you allow a network complete access to your
network, you might unknowingly allow other networks complete access, as well. Any
network that can access a network having complete access privileges to your network,
also has access to your network. For example, if Network 1 trusts Network 2 and
Network 2 trusts Network 3, then Network 1 trusts Network 3.
network, you might unknowingly allow other networks complete access, as well. Any
network that can access a network having complete access privileges to your network,
also has access to your network. For example, if Network 1 trusts Network 2 and
Network 2 trusts Network 3, then Network 1 trusts Network 3.
Restrictive Internet Filter
This example filter allows any kind of outgoing connection from the server, but blocks
all incoming traffic to any host but your designated Internet server. This filter also limits
incoming traffic on your Internet server to: SMTP, Network News Transfer Protocol
(NNTP), DNS, FTP, and ICMP services.
all incoming traffic to any host but your designated Internet server. This filter also limits
incoming traffic on your Internet server to: SMTP, Network News Transfer Protocol
(NNTP), DNS, FTP, and ICMP services.
Note – Even if you have the latest versions of the daemons ftpd, httpd, and sendmail
you may be vulnerable to attacks through these services. Check the latest CERT
Coordination Center advisories, available on ftp.cert.org, for the vulnerabilities of these
services.
you may be vulnerable to attacks through these services. Check the latest CERT
Coordination Center advisories, available on ftp.cert.org, for the vulnerabilities of these
services.
!
✍