Access Security
Filters
Rule
Chain
Repeat these steps to define several entries for the selected NAT interface.
9.2.8
Filters (Access Lists)
IP filters (
Access
filters, rules and so-called chains. IP filters react to incoming data pack-
ets. You can therefore allow or deny access to
A filter describes a certain part of the IP data traffic based on the source and/or
destination IP address,
port. If you define a filter, you should therefore tell X4100/200/300: "Watch out
for all data packets that match the following: ...".
You use a rule to tell
X4100/200/300
ets filtered out, i.e. whether or not it should allow them to pass through. You can
also define several rules, which you arrange in the form of a chain to obtain a
certain sequence.
There are various approaches for the definition of rules and rule chains:
Allow all packets that are not explicitly prohibited, i.e.:
–
Deny all packets that match Filter 1.
–
Deny all packets that match Filter 2.
–
...
–
...
–
Allow the rest.
Allow only what is explicitly permitted, i.e.:
–
Allow all packets that match Filter 1.
–
Allow all packets that match Filter 2.
–
...
–
...
–
Deny the rest.
Combination of the two possibilities described above
Several rule chains can be created, either completely or partly separated
from each other. The shared use of filters is possible and practicable.
Lists) in
X4100/200/300
X4100/200/300
netmask, protocol and source and/or destination
what the router is to do with the data pack-
X4100/200/300
are based on a concept of
for certain data.
User's Guide
9
319