Lucent Technologies 6000 用户手册
15-16
MAX 6000/3000 Network Configuration Guide
Defining Static Filters
Defining IP filters
Defining IP filters
Configure the output filter, setting Type to IP filter and setting Forward to Yes. This filter
specifies the source mask and address for the local network. (Packets originating on the local
network should be forwarded across the WAN.)
specifies the source mask and address for the local network. (Packets originating on the local
network should be forwarded across the WAN.)
Output filters...
Out filter=01
Type=IP
Valid=Yes
IP....
Forward=Yes
Src Mask=255.255.255.192
Src Adrs=10.100.50.128
Following is a comparable RADIUS filter definition:
test-user Password="test-pw"
Ascend-Data Filter="ip in drop srcip 10.100.50.128/26"
Ascend-Data Filter="ip in drop srcip 127.0.0.0/8"
Ascend-Data Filter="ip in forward"
Ascend-Data Filter="ip out forward srcip 10.100.50.128/26"
Examples of an IP filter for more complex security issues
This section illustrates some of the issues you might need to consider when writing your own
IP filters. However, the sample filter presented here does not address the fine points of network
security. You might want to use this filter as a starting point and augment it to address your
security requirements.
IP filters. However, the sample filter presented here does not address the fine points of network
security. You might want to use this filter as a starting point and augment it to address your
security requirements.
In this example, the local network supports a Web server, and the administrator needs to carry
out the following tasks:
out the following tasks:
•
Provide dial-in access to the server’s IP address
•
Restrict dial-in traffic to all other hosts on the local network
However, many local IP hosts need to dial out to the Internet and use IP-based applications
such as Telnet or FTP, so their response packets need to be directed appropriately to the
originating host. In this example, the Web server’s IP address is 10.9.250.5. The filter will be
applied in Connection profiles as a data filter.
such as Telnet or FTP, so their response packets need to be directed appropriately to the
originating host. In this example, the Web server’s IP address is 10.9.250.5. The filter will be
applied in Connection profiles as a data filter.
Configure the first input filter, setting Type to IP Filter and setting Forward to Yes. Configure
the first filter to allow packets to reach the Web server’s destination address at a destination
TCP port that can be used for Telnet or FTP:
the first filter to allow packets to reach the Web server’s destination address at a destination
TCP port that can be used for Telnet or FTP:
Input filters...
In filter=01
Type=IP
Valid=Yes
IP....
Forward=Yes
Protocol=6
Dst Mask=255.255.255.255
Dst Adrs=10.9.250.5
Dst Port Comp=Eql
Dst Port #=80