Справочник Пользователя для Avaya 38DHB0002UKDD

The Configuration Tree Functions

Firewall Configuration - Page 61

Match Data: The required resultant value of the Match Mask calculation

below. Note that the system pads the field with zeroes.

Match Mask: This is a byte pattern that is logically ANDed with the data filtered
from the packet. The result is compared against the contents of the Match Data
field.

Direction: This is the direction in which a session may be started if the filter finds
a match:
– Drop

- no session permitted

– In

- allow new sessions to be started from outside the local subnet only

– Out

- allow sessions to be started only from the local subnet

– Bothway - allow sessions either way.
Note that the Monitor program can be used to identify which packets are being
blocked by the Firewall.

Examples

Note: All TCP/UDP applications are assigned an individual “port” number, used

to identify the type of service one system is requesting from another. The
Internet Assigned Numbers Authority publishes a list of these.

1. To access a web page that uses TCP Port 8000 instead of the more usual

Port 80, use the following:
–  IP Protocol = 6 (TCP)
–  Match Offset = 22
–  Match Length = 2
–  Match Data = 1F40 (8000 in hex)
–  Match Mask = FFFF (FFFF.AND.filtered data = 1F40)
– Direction = Out
–  Notes = Port 8000 Out

2. To allow all ports out (this also solves the problem in Example 1 but risks the

making of unintentional data calls):
–  IP Protocol = 6 (TCP)
–  Match Offset = 0
–  Match Length = 0
–  Match Data = 0
–  Match Mask = 0
– Direction = Out
–  Notes = All TCP Ports Out

3. To avoid Windows95 calling your ISP’s DNS to resolve local names:

–  IP Protocol = 17 (UDP)
–  Match Offset = 20
–  Match Length = 4
–  Match Data = 00890035
–  Match Mask = FFFFFFFF
– Direction = Drop
–  Notes = Drop NetBIOS to DNS

INDeX IPNC Cassette Administration Manual

The Configuration Tree Functions - Page 61

38DHB0002UKDD – Issue 7 (22/11/02) Firewall

Configuration