Filter Options - Lucent Technologies PortMaster 4 Configuration Manual

Overview of PortMaster Filtering
You use Ethernet filters to constrain the types of packets that can enter the local
Ethernet port, and you can set filters on asynchronous ports configured for hardwired
operation when security with another network is an issue.
The packet filtering process analyzes the header information in each packet sent or
received through a network interface. The header information is evaluated against a set
of rules that either allow the packet to pass through the interface or cause the packet to
be discarded.
A maximum of 256 filter rules per filter is allowed for the PortMaster 4. The PortMaster
generates an error message when the number of filter rules exceeds the limit.
If a packet is discarded by a filter, an appropriate "ICMP unreachable" message is
returned to the source address. This message provides immediate feedback to the user
attempting the unauthorized access. Packets permitted or denied can optionally be
logged to a host.
Filters can also be used for packet selection—for example, you can use a packet trace
filter to do troubleshooting. The packets permitted by the ptrace filter are displayed,
while packets not permitted by the filter are not displayed. For more information about
the ptrace facility, see the PortMaster Troubleshooting Guide.

Filter Options

Table 8-1 shows different filter options.
Table 8-1
Option
Restricting packet traffic
Restricting access based
on source and
destination address
Restricting access to
particular protocols
Restricting access to
network services
8-2
Filter Options
Description
Each user, location entry, and network hardwired port
can be assigned both an input packet filter and an output
packet filter. Having both input and output filters can
decrease the number of rules needed and can provide
better tuning of your security policy.
You can create filters that evaluate both the source and
destination addresses of a packet against a rule list. The
number of significant bits used in IP address comparisons
can be set, allowing filtering by host, subnet, network
number, or group of hosts whose addresses are within a
given bit-aligned boundary.
Packets of certain protocols can be permitted or denied
by a filter, including IPX, SAP, TCP, UDP, and ICMP
packets.
You can create filters that use the source and destination
port numbers to control access to certain network
services. The evaluation can be based upon whether the
port number is less than, equal to, or greater than a
specified value.
PortMaster 4 Configuration Guide