Examples of filters that perform common functions
Building a firewall with passpacket filters
Filters can be defined to selectively pass or block IP packets based on:
• Inbound or outbound packet IP address
• Source or destination IP address
• TCP/UDP port
• Protocol
You can configure passpacket filters using any or all of these criteria to build a secu-
rity firewall between the Internet and a local network.
For example, if your WWW server has an IP address of 199.86.8.33, configure a filter
similar to that shown below and call it filter 1:
s1= 199.86.8.33 //Match if IP source or destination address is
You can then enter a command similar to the following:
set user name=webconnection network PassPacket=filter1
This will pass packets that match the WWW server's IP address and block all others.
A filter that will block all except specific ftp packets
The following filter blocks all incoming ftp packets except those to host 199.86.8.22
and allows other packets. You must define ftp in the Service Table, using the set
service command:
s1=ftp/syn/recv/dst/199.86.8.22//allow incoming ftp with dest
s2=!ftp/syn/recv
A filter that will bring up a connection when it detects IP packets
The following filter brings up a connection when it detects telnet or rlogin IP packets:
s1=telnet
s2=rlogin
Page 122
199.86.8.33
//allow all other packets except
Configuring WAN Connections
addr of 199.86.8.22
incoming ftp
90030500B