Nortel 4134 Guia Do Utilizador
Available packet filters
39
•
User data: filters can restrict traffic based on user data found in the
(protocol-specific) data part of the IP packet.
(protocol-specific) data part of the IP packet.
•
Network Devices: filters can act differently for different network devices
through which a packet is received or is going to be sent, such as
external or internal interfaces.
through which a packet is received or is going to be sent, such as
external or internal interfaces.
•
Date and time: filters can limit some types of network traffic to office
hours, for example.
hours, for example.
•
Fragments - filters can restrict non-initial fragmented packets where
the fragment extension header contains a non-zero fragment offset.
The fragments keyword is an option only if the operator [port-number]
arguments are not specified.
the fragment extension header contains a non-zero fragment offset.
The fragments keyword is an option only if the operator [port-number]
arguments are not specified.
IPv6 packet filters
The IPv6 packet filter performs filtering of IPv6 traffic, based on the rules
configured. The available IPv6 packet filtering parameters are as follows:
configured. The available IPv6 packet filtering parameters are as follows:
•
Protocol: filters can be configured based on one of the keywords tcp,
udp, icmp, ipv6, or on an integer in the range from 0 to 255 representing
an IPv6 protocol number.
udp, icmp, ipv6, or on an integer in the range from 0 to 255 representing
an IPv6 protocol number.
•
Source IPv6 prefix/prefix-length: filters can restrict traffic from a source
IPv6 network or class of networks. The IPv6 address must be in the form
documented in RFC 2373 where the address is specified in hexadecimal
using 16-bit values between colons
IPv6 network or class of networks. The IPv6 address must be in the form
documented in RFC 2373 where the address is specified in hexadecimal
using 16-bit values between colons
•
Destination IPv6 prefix/prefix-length: filters can restrict traffic with a
specified destination IPv6 network or class of networks. The IPv6
address must be in the form documented in RFC 2373 where the
address is specified in hexadecimal using 16-bit values between colons.
specified destination IPv6 network or class of networks. The IPv6
address must be in the form documented in RFC 2373 where the
address is specified in hexadecimal using 16-bit values between colons.
•
Source port or destination port: filters can use source or destination port
numbers to restrict traffic. The port number value must be a decimal
value between 0 and 65535.
numbers to restrict traffic. The port number value must be a decimal
value between 0 and 65535.
•
ICMP type: filters can use the ICMP message type to filter the ICMP
packets. The type is a number from 0 and 255.
packets. The type is a number from 0 and 255.
•
ICMP code: filters can use the ICMP message code to filter the ICMP
packets if specified along with ICMP message type. The code is a
number from 0 and 255.
packets if specified along with ICMP message type. The code is a
number from 0 and 255.
•
TCP flags: filters can use the TCP flags for packet filtering. Available
options are:
options are:
1. Keyword established can be used to match already established
connections. The non-matching case is that of the initial TCP datagram
to form a connection.
connections. The non-matching case is that of the initial TCP datagram
to form a connection.
2. Keywords fin, syn, ack, psh, rst and urg can be used to match the
corresponding TCP header flags. You can specify multiple TCP flag
corresponding TCP header flags. You can specify multiple TCP flag
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.