Справочник Пользователя для Compatible Systems 5.4
188
Chapter 11 - TCP/IP Filtering
IP Route Filter Rule Notification
Filter rule matches can optionally cause a log message to be sent. By default,
no logging of matches is performed. See the section on the Logging Config-
uration Dialog Box of this manual for more information.
no logging of matches is performed. See the section on the Logging Config-
uration Dialog Box of this manual for more information.
•
log The log option causes the device to log data about the packet to
syslog when the condition of the rule is met.
syslog when the condition of the rule is met.
IP Route Filter Rule Examples
The following example specifies a rule to allow routes to be input only from
RIP and only from 198.41.11.1.
RIP and only from 198.41.11.1.
permit 0.0.0.0 in via rip from 198.41.11.1
The rule below specifies that routing information should only be sent which
originates from RIP, directly connected routes, and static routes.
originates from RIP, directly connected routes, and static routes.
permit 0.0.0.0 out origin rip direct static
TCP/IP Packet Filter Rules
v Note: Due to the nature of the IP protocol, IP packet filtering can be quite
complicated. If you are attempting to design and implement a comprehensive
set of filters, or an Internet Firewall, there are a number of references you
should consult. Two good starting points are: Building Internet Firewalls, by
D. Brent Chapman and Elizabeth D. Zwicky, O’Reilly & Associates, 1995,
and Firewalls and Internet Security, by William R. Cheswick and Steven M.
Bellovin, Addison-Wesley Publishing Company, 1994.
complicated. If you are attempting to design and implement a comprehensive
set of filters, or an Internet Firewall, there are a number of references you
should consult. Two good starting points are: Building Internet Firewalls, by
D. Brent Chapman and Elizabeth D. Zwicky, O’Reilly & Associates, 1995,
and Firewalls and Internet Security, by William R. Cheswick and Steven M.
Bellovin, Addison-Wesley Publishing Company, 1994.
To access a filter editor window for TCP/IP packet filters, open the Main
TCP/IP Filtering Dialog Box (under Global/Filtering/TCP/IP Filtering) and
then select the Packet Filters button.
TCP/IP Filtering Dialog Box (under Global/Filtering/TCP/IP Filtering) and
then select the Packet Filters button.
Packet filtering rules are selected for individual device interfaces. Whether
they are used as input filters, output filters, or both, depends on which pull-
down is used to select them in the TCP/IP Filtering Dialog Box for a partic-
ular interface.
they are used as input filters, output filters, or both, depends on which pull-
down is used to select them in the TCP/IP Filtering Dialog Box for a partic-
ular interface.
A device does not reorder rule sets as they have been specified before they are
applied. They are applied in the order they were written. When multiple filter
sets are selected with CompatiView, the filter sets will be concatenated in the
device from first to last (top to bottom on screen).
applied. They are applied in the order they were written. When multiple filter
sets are selected with CompatiView, the filter sets will be concatenated in the
device from first to last (top to bottom on screen).
Any IP packet not explicitly allowed by the rules will be filtered. To allow all
other packets not filtered, the last rule must be:
other packets not filtered, the last rule must be:
permit 0.0.0.0 0.0.0.0 ip