1. Home
    2. /
  2. Manuals
    3. /
  3. Motorola
    4. /
  4. Netopia-3000
    5. /
  5. 32
Page 156 / 351 Scroll up to view Page 151 - 155
156
Filter priority
Continuing the customs inspectors analogy, imagine the
inspectors lined up to examine a package. If the package
matches the first inspector’s criteria, the package is either
rejected or passed on to its destination, depending on the
first inspector’s particular orders. In this case, the package
is never seen by the remaining inspectors.
If the package does not match the first inspector’s criteria,
it goes to the second inspector, and so on. You can see that
the order of the inspectors in the line is very important.
For example, let’s say the first inspector’s orders are to
send along all packages that come from Rome, and the sec-
ond inspector’s orders are to reject all packages that come
from France. If a package arrives from Rome, the first
inspector sends it along without allowing the second inspec-
tor to see it. A package from Paris is ignored by the first
inspector, rejected by the second inspector, and never seen
by the others. A package from London is ignored by the first
two inspectors, so it’s seen by the third inspector.
In the same way, filter sets apply their filters in a particular
order. The first filter applied can forward or discard a packet
before that packet ever reaches any of the other filters. If the first filter can neither forward
nor discard the packet (because it cannot match any criteria), the second filter has a
chance to forward or reject it, and so on. Because of this hierarchical structure, each filter
is said to have a priority. The first filter has the highest priority, and the last filter has the
lowest priority.
How individual filters work
As described above, a filter applies criteria to an IP packet and then takes one of three
actions:
Forwards the packet to the local or remote network
Blocks (discards) the packet
Ignores the packet
A filter forwards or blocks a packet only if it finds a match after applying its criteria. When
no match occurs, the filter ignores the packet.
packet
first
filter
match?
yes
forward
discard?
to network
discard
(delete)
forward
no
to next
filter
send
or
Page 157 / 351
157
Firewall Tutorial
A filtering rule
The criteria are based on information contained in the packets. A filter is simply a rule that
prescribes certain actions based on certain conditions. For example, the following rule
qualifies as a filter:
“Block all Telnet attempts that originate from the remote host 199.211.211.17.”
This rule applies to Telnet packets that come from a host with the IP address
199.211.211.17. If a match occurs, the packet is blocked.
Here is what this rule looks like
when implemented as a filter in
Netopia Firmware Version 7.6:
To understand this particular fil-
ter, look at the parts of a filter.
Parts of a filter
A filter consists of criteria based
on packet attributes. A typical fil-
ter can match a packet on any
one of the following attributes:
The source IP address and
subnet mask (where the
packet was sent from)
The destination IP address
and subnet mask (where the
packet is going)
The TOS bit setting of the
packet. Certain types of IP
packets, such as voice or mul-
timedia packets, are sensi-
tive to delays introduced by the network. A delay-sensitive packet is identified by a
special low-latency setting called the TOS bit. It is important for such packets to be
received rapidly or the quality of service degrades.
The type of higher-layer Internet protocol the packet is carrying, such as TCP or UDP
Page 158 / 351
158
Port numbers
A filter can also match a packet’s port number attributes, but only if the filter’s protocol
type is set to TCP or UDP, since only those protocols use port numbers. The filter can be
configured to match the following:
The source port number (the port on the sending host that originated the packet)
The destination port number (the port on the receiving host that the packet is destined
for)
By matching on a port number, a filter can be applied to selected TCP or UDP services,
such as Telnet, FTP, and World Wide Web. The following tables show a few common ser-
vices and their associated port numbers:
Port number comparisons
A filter can also use a comparison option to evaluate a packet’s source or destination port
number. The comparison options are:
No Compare:
No comparison of the port number specified in the filter with the
packet’s port number.
Not Equal To:
For the filter to match, the packet’s port number cannot equal the port
number specified in the filter.
Internet service
TCP port
Internet service
TCP port
FTP
20/21
Finger
79
Telnet
23
World Wide Web
80
SMTP (mail)
25
News
144
Gopher
70
rlogin
513
Internet service
UDP port
Internet service
UDP port
Who Is
43
TFTP
69
World Wide Web
80
who
513
SNMP
161
Page 159 / 351
159
Firewall Tutorial
Less Than:
For the filter to match, the packet’s port number must be less than the port
number specified in the filter.
Less Than or Equal:
For the filter to match, the packet’s port number must be less
than or equal to the port number specified in the filter.
Equal:
For the filter to match, the packet’s port number must equal the port number
specified in the filter.
Greater Than:
For the filter to match, the packet’s port number must be greater than
the port number specified in the filter.
Greater Than or Equal:
For the filter to match, the packet’s port number must be
greater than or equal to the port number specified in the filter.
Other filter attributes
There are three other attributes to each filter:
The filter’s order (i.e., priority) in the filter set
Whether the filter is currently active
Whether the filter is set to forward packets or to block (discard) packets
Putting the parts together
When you display a filter set, its filters are displayed as rows in a table:
The table’s columns correspond to each filter’s attributes:
#:
The filter’s priority in the set. Filter number 1, with the highest priority, is first in the
table.
Page 160 / 351
160
Fwd:
Shows whether the filter forwards (
Yes
) a packet or discards (
No
) it when there’s
a match.
Src-IP:
The packet source IP address to match.
Src-Mask:
The packet source subnet mask to match.
Dst-IP:
The packet destination IP address to match.
Dst-Mask:
The packet destination IP address to match.
Protocol:
The protocol to match. This can be entered as a number (see the table
below) or as TCP or UDP if those protocols are used.
Src Port:
The source port to match. This is the port on the sending host that originated
the packet.
Dst Port:
The destination port to match. This is the port on the receiving host for which
the packet is intended.
NC:
Indicates No Compare, where specified.
Filtering example #1
Returning to our filtering rule example from above (see
page 157
), look at how a rule is
translated into a filter. Start with the rule, then fill in the filter’s attributes:
The rule you want to implement as a filter is:
“Block all Telnet attempts that originate from the remote host 199.211.211.17.”
The host 199.211.211.17 is the source of the Telnet packets you want to block, while
the destination address is any IP address. How these IP addresses are masked deter-
mines what the final match will be, although the mask is not displayed in the table that
displays the filter sets (you set it when you create the filter). In fact, since the mask for
the destination IP address is 0.0.0.0, the address for Destination IP address could
have been anything. The mask for Source IP address must be 255.255.255.255 since
an exact match is desired.
Protocol
Number to use
Full name
N/A
0
Ignores protocol type
ICMP
1
Internet Control Message Protocol
TCP
6
Transmission Control Protocol
UDP
17
User Datagram Protocol

Rate

4.7 / 5 based on 3 votes.

Popular Motorola Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top