Table of Contents
Advertisement
27-12 C
27: P
HAPTER
ACKET
Masks
TCP and UDP Parameter
Filtering
F
ILTERS
The following filter file example would prevent forwarding of IP packets with
destination addresses that match the first 24 bits of the given IP address (that is,
addresses beginning with 188.039.150):
#filter
IP:
010 REJECT dst-addr = 188.039.150.000/24;
The following filter file rule example would allow forwarding of IP packets with
source address 192.077.100.032 and destination address 201.128.011.034:
#filter
IP:
010 AND src-addr = 192.077.100.032;
020 ACCEPT dst-addr = 201.128.011.034;
These fields specify the number of bits to be used in the source address and
destination address comparisons. Valid values are:
0
Match all packets with any IP address. The contents of source address
or destination address fields are unimportant.
8
Compare the first byte (octet) in the IP address.
16
Compare only the first two bytes of the IP addresses.
24
Compare only the first three bytes of the IP addresses.
32
Match the entire IP address. (Default)
The masks are separated from source address and destination address by forward
slashes (/).
TCP and UDP packets are typically sent from and destined for standard port
numbers that provide common network services, such as Domain Name Service
(DNS), Simple Network Management Protocol (SNMP), and TELNET. You can filter
TCP and UDP packets by source and destination ports by defining filter rules that
compare the port number in a TCP or UDP packet of a specific value.
The following filter file rule example would accept only TCP packets that have a
source port number of 24 or greater:
#filter
IP:
010 ACCEPT tcp-src-port >= 24;
020 DENY;
The following filter file rule example would accept only TCP packets with a
destination port in the range of 24-39:
#filter
IP:
010 AND tcp-dst-port>23;
020 ACCEPT tcp-dst-port<40;
030 DENY;
Advertisement
Table of Contents
