The PM will only route IP/IPX so netbeui is not a big issue here. Often a MS-Host configured for Netbeui will send UDP/137, UDP/138 broadcasts. If you have many users doing this it may be better to filter this on outbound traffic on the ethernet interface.
> Is there anyone out there that would be willing to take me
> (and probably 1000 others new to filtering out there) through
> a short course in filtering.
Here's a quickie:
TIP: When writing a filter imagine yourself in the mailroom inside of the PortMaster looking at the packets. Inbound filters are compared against packets coming into the PortMaster. Outbound filters are compared against packets leaving the PortMaster.
* Filters are applied to interfaces.
* Interfaces are defined/configured by port settings, user profiles, location profiles.
1 - Add the filter
add filter <filtername>
add filter test.out
* Its a good idea to add .out or .in to your filter to keep
track if its an inbound filter vs. an outbound filter
2 - Set filter rules
set filter <filtername> <rule_no> permit | deny <expression>
set filter test.out 1 deny udp
set filter test.out 2 permit
Rule 1: denys all udp packets
Rule 2: permits everything
* In the filter rules you can look at most information found in
IPX/SAP/IP/TCP/UDP/ICMP packet headers. See docs for syntax
3 - Displaying filters
show table filter # shows list of all filters on PM
show filter <filtername> # shows rule list of a given filter
4 - Deleting a filter
del filter <filtername>
del filter test.out
> Such information as:
>
> ...where to get information on filtering on a 2eR.
Chapter 15, Command Line Administrator's Guide
Chapter ?, PortMaster Configuration Guide
Filter Technical Notes: http://www.livingston.com/Tech/Technotes/Security/index.shtml#Filters
> ...what recommended filters to use.
> ...how to apply filters.
Filters can be set to the following:
-ports
set ether0 ifilter <filtername>
set ether0 ofilter <filtername>
set s1 ifilter <filtername>
set s1 ofilter <filtername>
set w1 ifilter <filtername>
set w1 ofilter <filtername>
-users
set user jstorms ifilter <filtername>
set user jstorms ofilter <filtername>
-locations
set location work ifilter <filtername>
set location work ofilter <filtername>
* Filters applied to ethernet interfaces take affect immediately.
* Filters applied to serial ports take affect after the port is reset
* Filters applied to users/locations take affect the next time their connection becomes ESTABLISHED
> ...what are the advantages / disadvantages of filters.
Technically using filters adds another step for the CPU when processing packets. Keeping filters short and simple does not add a noticeable difference.
> ...how can I improve the security of my network by using filters.
Packet filtering on your primary Internet connection can protect you from IP spoofing attacks. You can also, for example, 'channel' mail traffic to just your mail server or a bastion host which limits traffic. Same with Web, DNS, etc.
Other things to keep in mind (Pitfalls).
* Rules are evaluated top to bottom. Start at 1 then 2, etc.
* When a rule matches the packet is 'permit'ted or the packet is 'deny'd.
* When a rule matches no more rules are evaluated.
* Anything not explicitly permitted is denied. Consider a last unseen rule that says deny everything else. It is more secure to say "let these pass and deny all others" than it is to say "deny these and allow all others to pass".
* A filter with no rules permits everything.
* You can use ChoiceNet to store filters on a remote host similiar to RADIUS storing users on a remote host.
* Filters can be used with the 'ptrace [extended] <filtername>' command as a powerful debugging command. http://www.livingston.com/Tech/Technotes/Misc/command-ptrace.shtml
* Filters can be used as route filters.
* IP, IPX, and SAP filters can all be stored in the same filter each with its own set of rule numbers.
* SAP packet filters can only be applied as outbound packet filters.