Справочник Пользователя для Avaya 38DHB0002UKDD
The Configuration Tree Functions
Firewall Configuration - Page 61
Match Data: The required resultant value of the Match Mask calculation
below. Note that the system pads the field with zeroes.
Match Mask: This is a byte pattern that is logically ANDed with the data filtered
from the packet. The result is compared against the contents of the Match Data
field.
from the packet. The result is compared against the contents of the Match Data
field.
Direction: This is the direction in which a session may be started if the filter finds
a match:
– Drop
a match:
– Drop
- no session permitted
– In
- allow new sessions to be started from outside the local subnet only
– Out
- allow sessions to be started only from the local subnet
– Bothway - allow sessions either way.
Note that the Monitor program can be used to identify which packets are being
blocked by the Firewall.
Note that the Monitor program can be used to identify which packets are being
blocked by the Firewall.
Examples
Note: All TCP/UDP applications are assigned an individual “port” number, used
to identify the type of service one system is requesting from another. The
Internet Assigned Numbers Authority publishes a list of these.
Internet Assigned Numbers Authority publishes a list of these.
1. To access a web page that uses TCP Port 8000 instead of the more usual
Port 80, use the following:
– IP Protocol = 6 (TCP)
– Match Offset = 22
– Match Length = 2
– Match Data = 1F40 (8000 in hex)
– Match Mask = FFFF (FFFF.AND.filtered data = 1F40)
– Direction = Out
– Notes = Port 8000 Out
– IP Protocol = 6 (TCP)
– Match Offset = 22
– Match Length = 2
– Match Data = 1F40 (8000 in hex)
– Match Mask = FFFF (FFFF.AND.filtered data = 1F40)
– Direction = Out
– Notes = Port 8000 Out
2. To allow all ports out (this also solves the problem in Example 1 but risks the
making of unintentional data calls):
– IP Protocol = 6 (TCP)
– Match Offset = 0
– Match Length = 0
– Match Data = 0
– Match Mask = 0
– Direction = Out
– Notes = All TCP Ports Out
– IP Protocol = 6 (TCP)
– Match Offset = 0
– Match Length = 0
– Match Data = 0
– Match Mask = 0
– Direction = Out
– Notes = All TCP Ports Out
3. To avoid Windows95 calling your ISP’s DNS to resolve local names:
– IP Protocol = 17 (UDP)
– Match Offset = 20
– Match Length = 4
– Match Data = 00890035
– Match Mask = FFFFFFFF
– Direction = Drop
– Notes = Drop NetBIOS to DNS
– Match Offset = 20
– Match Length = 4
– Match Data = 00890035
– Match Mask = FFFFFFFF
– Direction = Drop
– Notes = Drop NetBIOS to DNS
INDeX IPNC Cassette Administration Manual
The Configuration Tree Functions - Page 61
38DHB0002UKDD – Issue 7 (22/11/02) Firewall
Configuration