below you say all of the connected address are on this same class C. You
don't want to block the whole class C then.
Also, you can't assigned filters to the port for dialup, you'd have to
ether filter at the ether0 (what most people do) or assign filters to each
user. (You can use the same filter for everyone.)
See below for filter examples.
>And also, is it possible to put up a incoming filter for the PPP/SLIP
>ports on the PM-2e that will deny incoming traffic on the PPP/SLIP port
>from any other source that the connected IP number?
Not unless you assign a user a static IP and assign them a filter that
allows only that IP. You can't do this with dynamic addressing of course.
And you'd need a different filter for every user.
Better to filter on the ether0 port, and put a 'permit' in for all the
addresses used in the dynamic pool. Then deny any others.
Filters
94/3/8, last modified 95/02/03
This example is for a hardwired network interface on port S1; if you
use dial on demand you should add the filter to the appropriate
location and netuser table entries (e.g. for location internet and
netuser internet you would do "set internet ifilter internet.in" and
"set user internet ifilter internet.in" after doing the following commands).
In this example we'll use the fictional domain example.com using the
class C network 192.9.200.0, with a ftp server at ftp.example.com, a
nameserver at ns.example.com, the IRX itself as gw.example.com with the
service provider's router as gw.isp.net. 192.9.200.0 should be
replaced by your own network number and all the hostnames should be
replaced by the real hostnames or IP addresses.
add filter internet.in
set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0
set filter internet.in 2 permit tcp estab
set filter internet.in 3 permit udp dst eq 53
set filter internet.in 4 permit tcp dst eq 53
set filter internet.in 5 permit tcp dst eq 25
set filter internet.in 6 permit icmp
set filter internet.in 7 permit 0.0.0.0/0 ftp.example.com/32 tcp dst eq 21
set filter internet.in 8 permit tcp src eq 20 dst gt 1023
set s1 ifilter internet.in
save all
reset s1
1. Block any incoming packets claiming to be from your own network
2. Allow any outgoing TCP connections
3. Allow Domain Name service queries both ways
4. Allow Domain Name service zone transfers
5. Allow mail both ways
6. Allow ICMP (ping) both ways
7. Allow anyone to FTP to our FTP host
8. Allow us to FTP things from the Internet (this is potentially risky)
If your Domain Name Server is on the outside of your local net, you
need to add a line like this:
set filter internet.in 9 permit udp src eq 53
and you may then want to add an output filter like
add filter internet.out
set filter internet.out 1 deny 0.0.0.0/0 192.9.200.0/24
set filter internet.out 2 permit tcp
set filter internet.out 3 permit udp src eq 53
set filter internet.out 4 permit udp dst eq 53
set filter internet.out 5 permit gw.example.com/32 gw.isp.net/32 udp dst eq 520
set filter internet.out 6 permit icmp
set s1 ofilter internet.out
save all
reset s1
If you want to listen for RIP information you should add:
set filter internet.in 10 permit gw.isp.net/32 gw.example.com/32 udp dst eq 520
If you want to allow auth (RFC 931) queries in (which some mailers
and FTP servers use) you need to add a line like this:
set filter internet.in 10 permit tcp dst eq 113
The rules are applied in the order given, and you can either permit
or deny. Anything not permitted is denied at the end.
For greater security you should further limit which hosts can do what,
e.g. limit DNS and SMTP interchange with the internet to a single
well-secured host of yours, and have your internal hosts refer to that host.
You can specify hosts as IP addresses or as names. You can specify
subnets too; for example if we wanted to allow one subnet to have
complete access to our network, we could add a rule to internet.in like:
permit 192.187.195.0/24 192.9.200.0/24
In Release 3.0 you can route and filter IPX as well, and outgoing SAP.
You can set filters on incoming packets and/or outgoing packets on each
port (or ethernet). Filtering incoming packets is safer than filtering
outgoing packets, because 1) you know which interface that packet is
coming in on, and 2) you can protect the router itself with the filter.
Other vendors' routers that only allow filtering outgoing packets are
vulnerable to attack on the router itself.
EXAMPLE TWO
Here's a basic firewall filter for use with a bastion host and a
IRX-111 connected to the internet on port S1.
This example is for a hardwired network interface on port S1; if you
use dial on demand you should add the filter to the appropriate
location and netuser table entries (e.g. for location internet and
netuser internet you would do "set internet ifilter internet.in" and
"set user internet ifilter internet.in" after doing the following
commands).
This example allows any kind of outgoing connection from the bastion
host, blocks all incoming traffic to any host but the bastion, and
allows the following incoming traffic to the bastion: SMTP, NNTP, DNS,
FTP, ICMP. Note that unless you have the latest versions of ftpd and
sendmail you may be vulnerable to attacks through those ports.
The name bastion below should be replaced by the IP address or
hostname of the bastion host.
add filter internet.in
set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0
set filter internet.in 2 permit 0.0.0.0/0 bastion/32 tcp estab
set filter internet.in 3 permit 0.0.0.0/0 bastion/32 tcp dst eq 21
set filter internet.in 4 permit 0.0.0.0/0 bastion/32 tcp src eq 20 dst gt 1023
set filter internet.in 5 permit 0.0.0.0/0 bastion/32 tcp dst eq 119
set filter internet.in 6 permit 0.0.0.0/0 bastion/32 tcp dst eq 25
set filter internet.in 7 permit 0.0.0.0/0 bastion/32 udp dst eq 53
set filter internet.in 8 permit 0.0.0.0/0 bastion/32 tcp dst eq 53
set s1 ifilter internet.in
save all
reset s1
1. Block any incoming packets claiming to be from your own network
2. Allow any established TCP connections back into the bastion (you may want
to limit this further by putting deny commands ahead of it)
3. Allow anyone to FTP to the bastion
4. Allow bastion to FTP things from the Internet (this is potentially risky)
5. Allow incoming news (NNTP) to the bastion
6. Allow incoming mail (SMTP) to the bastion
7. Allow Domain Name service queries to the bastion
8. Allow Domain Name service zone transfers from the bastion to others
-MZ
-- Livingston Enterprises Technical Support Phone: 800-458-9966 FAX: 510-426-8951 support@livingston.com <http://www.livingston.com/> 6920 Koll Center Parkway #220, Pleasanton, CA 94566