Nortel 4134 Guia Do Utilizador
37
Packet filter fundamentals
The central idea of a packet filter is that a set of rules are defined to monitor
inbound connections at the network layer level. As long as the packet
conforms to the defined rules, the packet is allowed to pass. If the packet
does not conform to the defined rules, it is dropped.
inbound connections at the network layer level. As long as the packet
conforms to the defined rules, the packet is allowed to pass. If the packet
does not conform to the defined rules, it is dropped.
With the SR4134, the packet filter feature provides stateless, interface-based
packet filtering as an alternative to the stateful firewall. It also provides IPv6
packet filter functionality to complement the IPv4-only stateful firewall.
packet filtering as an alternative to the stateful firewall. It also provides IPv6
packet filter functionality to complement the IPv4-only stateful firewall.
The SR4134 packet filter examines each packet on the interface to
determine whether to permit or drop the packet, based on the criteria
specified within user-configured access lists. This control can restrict
network traffic and restrict network use for certain users or devices.
determine whether to permit or drop the packet, based on the criteria
specified within user-configured access lists. This control can restrict
network traffic and restrict network use for certain users or devices.
The SR4134 supports three packet filter types; IPv4, IPv6, and MAC. WAN
and chassis Ethernet interfaces only support IPv4 and IPv6 packet filters.
The Module Ethernet interface support IPv4, IPv6, and MAC packet filters
in a slight different implementation.
and chassis Ethernet interfaces only support IPv4 and IPv6 packet filters.
The Module Ethernet interface support IPv4, IPv6, and MAC packet filters
in a slight different implementation.
Packet filters on WAN modules and chassis Ethernet ports
On the WAN interfaces and chassis Ethernet ports, one IPv4 and one IPv6
packet filter can be applied to both the inbound direction and the outbound
direction.
packet filter can be applied to both the inbound direction and the outbound
direction.
With these interfaces, the IPv4 packet filter is mutually exclusive with the
firewall. Only one or the other can be enabled on the interface.
firewall. Only one or the other can be enabled on the interface.
However, the IPv6 packet filter can be applied to interfaces registered with
the firewall, as the firewall does not monitor IPv6 traffic.
the firewall, as the firewall does not monitor IPv6 traffic.
Packet filters on Ethernet modules
On the Ethernet module interfaces, one IPv4, one IPv6 and one MAC
packet filter can be applied. With Ethernet module interfaces, packet filters
can only be applied to the inbound direction. There is no packet filtering in
the outbound direction.
packet filter can be applied. With Ethernet module interfaces, packet filters
can only be applied to the inbound direction. There is no packet filtering in
the outbound direction.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.