Table of Contents
Advertisement
Displaying Filters
To display the filter table, use the following command:
Command> show table filter
To display a particular filter, use the following command:
Command> show filter Filtername
Deleting Filters
To delete a filter, use the following command:
Command> delete filter Filtername
Example Filters
Because filters are very flexible, you must carefully evaluate the types of traffic that a
specific filter permits or denies through an interface before attaching the filter. If
possible, a filter should be tested from both sides of the filtering interface to verify that
the filter is operating as you intended. Using the log keyword to log packets that match
a rule to the loghost is useful when you are testing and refining IP filters.
Some of the following examples use the 192.168.1.0 network as the public network.
Substitute the number of your network or subnetwork if you use these examples.
Note – Any packet that is not explicitly permitted by a filter is denied, except for the
special case of a filter with no rules, which permits everything.
Simple Filter
A simple filter can consist of the following rules:
Command> set filter simple 1 permit udp dst eq 53
Command> set filter simple 2 permit tcp dst eq 25
Command> set filter simple 3 permit icmp
Command> set filter simple 4 permit 0.0.0.0/0 192.168.1.3/32 tcp dst eq 21
Command> set filter simple 5 permit tcp src eq 20 dst gt 1023
Table 8-2 describes, line by line, each rule in the filter.
Table 8-2
Rule
1.
2.
3.
4.
Configuring Filters
Description of Simple Filter
Description
Permits Domain Name Service (DNS) UDP packets from any host to
any host.
Permits SMTP (mail) packets.
Permits ICMP packets.
Permits FTP from any host, but only to the host 192.168.1.3.
Displaying Filters
8-7
Advertisement
Table of Contents
Troubleshooting
