Nortel Web OS Switch Software Application Manual page 350

Web OS 10.0 Application Guide
You could add the filters required for the DMZ (to each Web switch) as follows:
1. On the dirty-side Web switch, create the filter to allow HTTP traffic to reach the DMZ
Web servers.
In this example, the DMZ Web servers use IP addresses 205.178.29.0/24.
>> # /cfg/slb/filt 80
>> Filter 80# sip any
>> Filter 80# dip 205.178.29.0
>> Filter 80# dmask 255.255.255.0
>> Filter 80# proto tcp
>> Filter 80# sport any
>> Filter 80# dport http
>> Filter 80# action allow
>> Filter 80# ena
2. Create another filter to deny all other traffic to the DMZ Web servers.
>> Filter 80# ../filt 89
>> Filter 89# sip any
>> Filter 89# dip 205.178.29.0
>> Filter 89# dmask 255.255.255.0
>> Filter 89# proto any
>> Filter 89# action deny
>> Filter 89# ena
N
OTE
that the allow filter has the higher order of precedence.
3. Add the filters to the traffic ingress ports.
>> Filter 89# ../port 1
>> SLB Port 1# add 80
>> SLB Port 1# add 89
4. Apply and save the configuration changes.
>> SLB Port 1# apply
>> SLB Port 1# save
n
350 Chapter 13: Firewall Load Balancing
–
The deny filter has a higher filter number than the allow filter. This is necessary so
(Select filter 80)
(From any source IP address)
(To the DMZ base destination)
(For the range of DMZ addresses)
(For TCP protocol traffic)
(From any source port)
(To an HTTP destination port)
(Allow the traffic)
(Enable the filter)
(Select filter 89)
(From any source IP address)
(To the DMZ base destination)
(For the range of DMZ addresses)
(For TCP protocol traffic)
(Allow the traffic)
(Enable the filter)
(Select the ingress port)
(Add the allow filter)
(Add the deny filter)
212777-A, February 2002