Nortel 4134 Guia Do Utilizador
38
Packet filter fundamentals
All packet filters, IPv4, IPv6. and MAC, can be applied to these interfaces
whether or not they are registered with the firewall.
whether or not they are registered with the firewall.
While packet filters for WAN modules and chassis Ethernet port are
enforced by software, all packet filters applied to the Ethernet module
interfaces are enforced by the module hardware.
enforced by software, all packet filters applied to the Ethernet module
interfaces are enforced by the module hardware.
ATTENTION
Ethernet modules do not support statistics for the packet filters, nor do the
Ethernet modules support packet filter counters.
Ethernet modules support packet filter counters.
Maximum allowable filter rules on Ethernet modules
On each Ethernet module, the TCAM limits the number of allowable packet
filter rules. The TCAM provides 896 entries that are shared between
Ethernet module QoS and the packet filters (regardless of the number of
ports on the module). This limits the number of filter rules that can be
applied on the Ethernet modules.
filter rules. The TCAM provides 896 entries that are shared between
Ethernet module QoS and the packet filters (regardless of the number of
ports on the module). This limits the number of filter rules that can be
applied on the Ethernet modules.
In addition, a packet filter rule can consume more than one entry in the
TCAM depending on the packet match qualifiers.
TCAM depending on the packet match qualifiers.
Available packet filters
The following sections provide more detail on the available packet filters.
IPv4 packet filters
The IPv4 packet filter performs filtering of IPv4 traffic, including TCP, User
Datagram Protocol (UDP), Internet Group Management Protocol (IGMP),
and Internet Control Message Protocol (ICMP). The available IPv4 filtering
parameters are as follows:
Datagram Protocol (UDP), Internet Group Management Protocol (IGMP),
and Internet Control Message Protocol (ICMP). The available IPv4 filtering
parameters are as follows:
•
Source and destination IP address
•
Protocol, including TCP, UDP, ICMP, or IGMP.
•
Source and destination port numbers: filters can use port numbers to
restrict the network traffic to a limited set of services, each of which is
associated with a well-known port.
restrict the network traffic to a limited set of services, each of which is
associated with a well-known port.
•
TCP flags: filters can check the TCP ACK and SYN bits, indicating
whether a new connection is being set up or not. This is particularly
useful to allow TCP sessions being initiated only from one side.
whether a new connection is being set up or not. This is particularly
useful to allow TCP sessions being initiated only from one side.
•
ICMP message types: filters can restrict ICMP traffic to a limited set of
message types. For example, the Echo Request packets can be refused
message types. For example, the Echo Request packets can be refused
•
IGMP message types: filters can restrict IGMP traffic to a limited set of
message types. For example, the Group Membership Query packets
can be refused.
message types. For example, the Group Membership Query packets
can be refused.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.