Table of Contents
Advertisement
Example Filters
Table 8-2
Rule
5.
Input Filter for an Internet Connection
The filter in this example is designed as an input filter for a network hardwired port that
connects to the Internet. You can use this filter for a dial-on-demand connection by
attaching it to the location entry.
The rules for the filter are set as follows:
Command> set filter internet.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter internet.in 2 permit tcp estab
Command> set filter internet.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.4/32 tcp dst eq 21
Command> set filter internet.in 5 permit tcp 0.0.0.0/0 192.168.0.5/32 dst eq 80
Command> set filter internet.in 6 permit tcp src eq 20 dst gt 1023
Command> set filter internet.in 7 permit udp dst eq 53
Command> set filter internet.in 8 permit tcp dst eq 53
Command> set filter internet.in 9 permit icmp
Table 8-3 describes, line by line, each rule in the filter.
Table 8-3
Rule
1.
2.
3.
4.
5.
6.
7.
8.
9.
8-8
Description of Simple Filter (Continued)
Description
Permits FTP data to return to the requesting host. This rule is required
to provide a reverse channel for the data portion of FTP.
Description of Internet Filter
Description
Denies any incoming packets from the Internet claiming to be from—
or spoofing—your own network (192.168.1.0). This rule blocks IP
spoofing attacks. This rule also logs the header information in the
spoofing packets to syslog.
Permits already established TCP connections that originated from your
network—packets with the ACK bit set.
Permits SMTP connections to 10.0.0.3 (the mail server).
Permits FTP connections to host 172.16.0.4.
Permits Hypertext Transfer Protocol (HTTP) access to host 192.168.0.5.
Permits an FTP data channel.
Permits DNS.
Permits DNS zone transfers. (You can write this rule to allow only
connections to your name servers.)
Permits ICMP packets.
PortMaster 4 Configuration Guide
Advertisement
Table of Contents
Troubleshooting
