Custom Firewall Configurations
Configuring IP Filter Groups
Configuring IP Filter Groups
Configuring IP Filter Groups
Configuration
procedure
There are four IP filter groups: inbound and outbound (each one containing up to
sixteen different IP filters). An IP filter can filter IP packets based on source and/or
destination IP address, and/or based on any known application (protocol).
Examples of IP filters include, but are not limited to the following:
Deny all packets from certain IP addresses/networks.
3
Deny all packets from certain source IP addresses/networks to certain
3
destination IP addresses/networks.
Deny all Telnet session requests coming into this interface.
3
Permit all pings coming from certain IP addresses/networks.
3
Deny all transport control protocol (TCP) packets coming to certain
3
destination IP addresses/networks.
Permit all TCP sessions that are established.
3
Permit all user datagram protocol (UDP) packets with UDP ports greater
3
than (any number).
Deny all IP packets of IP type 1 coming from certain IP addresses/
3
networks.
Permit all hypertext transfer protocol (HTTP) (www) packets from any
3
source to any destination.
Permit mail protocol only to the particular IP addresses/networks.
3
NOTE:
For all IP filtering used in conjunction with NAT, you must use the NATed IP
addresses in filters, not the original IP addresses.
The filter syntax is as follows:
Filtern
permit/deny/clear [dst [net mask]] [src [net mask]
[All | keyword | default [tcpport/uddport/iptype/ cmp #]] [est]
363-208-050
(Continued on next page)
Issue 4
June 2002
C-3