Table of Contents
Advertisement
4-6
C
4: F
HAPTER
ILTERING
Interface Filters
Input Filter
Output Filters
Input Filters vs. Output
Filters
Port Filters
Applying Filters
Apply a Filter to an
Interface
C
APABILITIES
Interfaces
Ports
You can configure interface filters for any interface. Interface filters control access
to all networks available for both modem and non-modem interfaces. You can
specify whether a filter applies to packets entering the interface (input filter) or
leaving the interface (output filter). The bridge examines the filtering rules to
determine whether the interface accepts or rejects the packet.
If an input filter is configured on an interface, all packets received into the bridge
in that interface are checked against the filtering rules before being forwarded to
another interface.
If an output filter is configured on an interface, all packets received into the bridge
on that interface are checked against the filtering rules before exiting the bridge.
When possible, use the input filter to filter an incoming packet rather than waiting
to catch a packet as it attempts to exit the bridge. This is recommended because:
A packet is prevented from entering the bridge, keeping potential intruders
from attacking the unit itself.
The bridging engine does not waste time processing a packet that is going to
be discarded anyway.
Most importantly, the bridge does not know which interface an outgoing
packet came in through. If a potential intruder forges a packet with a false
source address (in order to appear as a trusted host or network), there is no
way for an output filter to tell if that packet came in through the wrong
interface. An input filter, on the other hand, can filter out packets purporting
to be from networks that are actually connected to a different interface.
You can configure filters for a specific port profile that controls access to the
network for that location. This filter is only applied for the duration of the remote
network connection. As with interface filters, a port filter can be configured to
apply to input or output data traffic.
You can apply filters to interfaces and/or ports using the CLI. If you modify a file,
you need to re-apply it to make the changes take effect immediately. Otherwise
the changes will not take effect until the bridge network that the filter affects
goes down and comes back up. This occurs when a network is disabled, the WAN
connection goes down then up, or when the 3Com HomeConnect ADSL Modem
Ethernet is rebooted.
To configure an input or output filter on an interface, use the following CLI
commands:
set interface <interface name> input_filter <filter name>
set interface <interface name> output_filter <filter name>
Advertisement
Table of Contents
