Zhone 2000 用户手册
2000-A2-GB20-10
- 154 -
February 2004
Creating a
Firewall via
IP Filtering
Firewall via
IP Filtering
Firewall configuration (also known as IP filtering) allows you to specify a
combination of parameters the IAD uses to selectively eliminate IP traffic.
combination of parameters the IAD uses to selectively eliminate IP traffic.
Filtering executes on the WAN port that you select. There are two different
sets of filters and each filter maintains its own statistics:
sets of filters and each filter maintains its own statistics:
Input— Input packets are filtered after network address translation.
Output—Output packets are filtered before network address
translation.
translation.
The maximum number of filters is 128. Packets pass through the
appropriate set of filters in the order in which the filters display in the list
shown on the user interface (Configure IP Router > Configure IP Filtering
> Display all filters of the chosen type). Each packet moves down the list of
filters until it reaches the end or the attributes of an active filter match the
packet.
appropriate set of filters in the order in which the filters display in the list
shown on the user interface (Configure IP Router > Configure IP Filtering
> Display all filters of the chosen type). Each packet moves down the list of
filters until it reaches the end or the attributes of an active filter match the
packet.
When a match occurs, the packet is then processed according to the
action field (Pass or Discard) of the first filter that matched the packet:
action field (Pass or Discard) of the first filter that matched the packet:
Pass—packet passed to the next level.
Discard—packet discarded. When output packets are dropped,
RTCS_OK is returned from IP_route.
RTCS_OK is returned from IP_route.
When you create a new filter, all fields are set to an inactive state. An
inactive filter passes all IP packets—you must modify at least one field to
narrow the range of packets to pass or change the action to discard all
packets.
inactive filter passes all IP packets—you must modify at least one field to
narrow the range of packets to pass or change the action to discard all
packets.
To create a set of filters to pass only certain types of packets, you need to
create a default filter that discards all packets and then insert narrower
filters before the default filter. For example, you need to add a filter to
cover each range of packets.
create a default filter that discards all packets and then insert narrower
filters before the default filter. For example, you need to add a filter to
cover each range of packets.
To select only the packet ranges to discard no default filter needed,
because the default action is to pass all packets. You only add filters that
set the range to discard and set the actions of those filters to discard.
because the default action is to pass all packets. You only add filters that
set the range to discard and set the actions of those filters to discard.
The order of the filters matters if you are mixing filters with different actions
or if you want the overlapping filters to display accurate statistics.
or if you want the overlapping filters to display accurate statistics.
)LUHZDOO&RQILJXUDWLRQ
NOTE
For complete information on IP filtering, see Configuring IP
Filtering, on page
Filtering, on page