[Top] [Prev] [Next] [Bottom]

B Defining Filter Rules

The tables in this appendix describe the parameters and proper syntax to use when you define rules for filters. For more information on filtering, see the Configuration Guide for PortMaster Products.

This appendix includes the following topics:

Using a Site List Specifier

You can replace either the source or the destination host IP address with a ChoiceNet list specifier. You cannot replace both in the same rule. The filter looks up the specified site list on the ChoiceNet server.

Figure B-1 shows an example rule in which the source value Ipaddress/NM has been replaced with the =ListName value. This rule permits users on the internal_hosts list to telnet to the host at 192.160.240.10.

Figure B-1 Example Rule Using a Source Site List
`permit =internal_hosts 192.168.240.10 tcp dst eq 23`

Figure B-2 shows an example rule in which the destination value Ipaddress(dest)/NM has been replaced with the =ListName value. This rule permits users from the source IP address 172.30.00/16 to access any Web sites on the yahooligans list.

Figure B-2 Example Rule Using a Destination Site List
`permit 172.30.0.0/16 =yahooligans tcp dst eq 80`

Filtering IP Packets

Use one of the three syntax forms presented in Table B-1 to define rules for filtering IP packets with the keywords and values described in Table B-2.

`IP Rule Syntax`
`permit\|deny [Ipaddress/NM Ipaddress(dest)/NM] [log] [notify]` `or` `permit\|deny =ListName Ipaddress(dest)/NM [log] [notify]` `or` `permit\|deny Ipaddress/NM =ListName [log] [notify]`

You can use a hostname in a filter rule only if NIS or DNS is configured on the PortMaster, or if you are entering the filter with PMconsole.

`IP Rule Keywords and Values`
Keyword or Value	Description
permit	Permits the packet to pass through the interface.
deny	Stops the packet from passing through the interface. The packet is dropped, and an ICMP Host Unreachable message is sent to the source address.
Ipaddress	An IP address expressed in dotted decimal notation or as a hostname. The source IP address of the packet is compared with this value.
Ipaddress(dest)	An IP address expressed in dotted decimal notation or as a hostname. The destination IP address of the packet is compared with this value.
/NM	The netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 inclusive, preceded by a slash (/), can be used; common mask values are /0-Matches all packets with any source address /16-Looks at high-order 16 bits of the address /24-Looks at high-order 24 bits of the address /32-Looks at the entire IP address
=	Identifies the following value as a site list specifier. There must not be a space between this identifier and the ListName value.
ListName	Specifies a list of source or destination sites in the /etc/choicenet/lists directory. The equal sign (=) identifier must immediately precede the value.
log	Packets matching the rule are logged by syslog to the loghost.
notify	Packets matching the rule are logged by syslog to the source of the packet. This keyword is used to cause a notification pop-up to appear on a user's computer.

Filtering TCP Packets

Use one of the three syntax forms presented in Table B-3 to define rules for filtering TCP packets with the keywords and values described in Table B-4.

`TCP Rule Syntax`
`permit\|deny [Ipaddress/NM Ipaddress(dest)/NM] tcp [src eq\|lt\|gt Tport] [dst eq\|lt\|gt Tport] [established] [log] [notify]` `or` `permit\|deny =ListName Ipaddress(dest)/NM tcp [src eq\|lt\|gt Tport] [dst eq\|lt\|gt Tport] [established] [log] [notify]` `or` `permit\|deny Ipaddress/NM =ListName tcp [src eq\|lt\|gt Tport] [dst eq\|lt\|gt Tport] [established] [log] [notify]`

You can use a hostname in a filter rule only if NIS or DNS is configured on the PortMaster, or if you are entering the filter with PMconsole.

`TCP Rule Keywords and Values`
Keyword or Value	Description
permit	Permits the packet to pass through the interface.
deny	Stops the packet from passing through the interface. The packet is dropped, and an ICMP Host Unreachable message is sent to the source address.
IPaddress	An IP address expressed in dotted decimal notation or as a hostname. The source IP address of the packet is compared with this value.
Ipaddress(dest)	An IP address expressed in dotted decimal notation or as a hostname. The destination IP address of the packet is compared with this value.
/NM	The netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 inclusive, preceded by a slash (/), can be used; common mask values are /0-Matches all packets with any source address /16-Looks at high-order 16 bits of the address /24-Looks at high-order 24 bits of the address /32-Looks at the entire IP address
=	Identifies the following value as a site list specifier. There must not be a space between this identifier and the ListName value.
ListName	Specifies a list of source or destination sites in the /etc/choicenet/lists directory. The equal sign (=) identifier must immediately precede the value.
tcp	Specifies that the filter looks for TCP packets. Supports filtering on source and destination port numbers as well as the established state of a connection.
src	The TCP source port number is compared with the port number in the rule.
eq	The comparison determines whether the port number in the packet is equal to the port number specified in the rule.
lt	The comparison determines whether the port number in the packet is less than the port number specified in the rule.
gt	The comparison determines whether the port number in the packet is greater than the port number specified in the rule.
Tport	The port number for the TCP/IP connection; an integer from 0 to 65535.
dst	The TCP destination port number is compared with the port number in the rule.
established	Determines whether the packet is for an established TCP network connection. Packets being sent to start new TCP connections do not match this rule.
log	Packets matching the rule are logged by syslog to the loghost.
notify	Packets matching the rule are logged by syslog to the source of the packet. This keyword is used to cause a notification pop-up to appear on a user's computer.

Filtering UDP Packets

Use one of the three syntax forms presented in Table B-5 to define rules for filtering UDP packets with the keywords and values described in Table B-6.

`UDP Rule Syntax`
`permit\|deny [Ipaddress/NM Ipaddress(dest)/NM] udp [src eq\|lt\|gt Uport] [dst eq\|lt\|gt Uport] [log] [notify]` `or` `permit\|deny =ListName Ipaddress(dest)/NM udp [src eq\|lt\|gt Uport] [dst eq\|lt\|gt Uport] [log] [notify]` `or` `permit\|deny Ipaddress/NM =ListName udp [src eq\|lt\|gt Uport] [dst eq\|lt\|gt Uport] [log] [notify]`

You can use a hostname in a filter rule only if NIS or DNS is configured on the PortMaster, or if you are entering the filter with PMconsole.

`UDP Rule Keywords and Values`
Keyword or Value	Description
permit	Permits the packet to pass through the interface.
deny	Stops the packet from passing through the interface. The packet is dropped, and an ICMP Host Unreachable message is sent to the source address.
IPaddress	An IP address expressed in dotted decimal notation or as a hostname. The source IP address of the packet is compared with this value.
Ipaddress(dest)	An IP address expressed in dotted decimal notation or as a hostname. The destination IP address of the packet is compared with this value.
/NM	The netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 inclusive, preceded by a slash (/), can be used; common mask values are /0-Matches all packets with any source address /16-Looks at high-order 16 bits of the address /24-Looks at high-order 24 bits of the address /32-Looks at the entire IP address
=	Identifies the following value as a site list specifier. There must not be a space between this identifier and the ListName value.
ListName	Specifies a list of source or destination sites in the /etc/choicenet/lists directory. The equal sign (=) identifier must immediately precede the value.
udp	Specifies that the filter looks for UDP packets. Supports filtering on source and destination port numbers.
src	The TCP source port number is compared with the port number in the rule.
eq	The comparison determines whether the port number in the packet is equal to the port number specified in the rule.
lt	The comparison determines whether the port number in the packet is less than the port number specified in the rule.
gt	The comparison determines whether the port number in the packet is greater than the port number specified in the rule.
Uport	The port number for the UDP/IP connection; an integer from 0 to 65535.
dst	The TCP destination port number is compared with the port number in the rule.
log	Packets matching the rule are logged by syslog to the loghost.
notify	Packets matching the rule are logged by syslog to the source of the packet. This keyword is used to cause a notification pop-up to appear on a user's computer.

Filtering ICMP Packets

Use one of the three syntax forms presented in Table B-7 to define rules for filtering ICMP packets with the keywords and values described in Table B-8.

`ICMP Rule Syntax`
`permit\|deny [Ipaddress/NM Ipaddress(dest)/NM] icmp [type Itype] [log] [notify]` `or` `permit\|deny =ListName Ipaddress(dest)/NM icmp [type Itype] [log] [notify]` `or` `permit\|deny Ipaddress/NM =ListName icmp [type Itype] [log] [notify]`

You can use a hostname in a filter rule only if NIS or DNS is configured on the PortMaster, or if you are entering the filter with PMconsole.

`ICMP Rule Keywords and Values`
Keyword or Value	Description
permit	Permits the packet to pass through the interface.
deny	Stops the packet from passing through the interface. The packet is dropped, and an ICMP Host Unreachable message is sent to the source address.
IPaddress	An IP address expressed in dotted decimal notation or as a hostname. The source IP address of the packet is compared with this value.
Ipaddress(dest)	An IP address expressed in dotted decimal notation or as a hostname. The destination IP address of the packet is compared with this value.
/NM	The netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 inclusive, preceded by a slash (/), can be used; common mask values are /0-Matches all packets with any source address /16-Looks at high-order 16 bits of the address /24-Looks at high-order 24 bits of the address /32-Looks at the entire IP address
=	Identifies the following value as a site list specifier. There must not be a space between this identifier and the ListName value.
ListName	Specifies a list of source or destination sites in the /etc/choicenet/lists directory. The equal sign (=) identifier must immediately precede the value.
type	Compares the ICMP message type in the rule with the ICMP source message type.
Itype	Type of ICMP packet; an integer 0 or higher. ICMP message types are defined in RFC 1700, "Assigned Numbers." Message types 0, 3, 8, and 11 are the most commonly used.
log	Packets matching the rule are logged by syslog to the loghost.
notify	Packets matching the rule are logged by syslog to the source of the packet. This keyword is used to cause a notification pop-up to appear on a user's computer.

[Top] [Prev] [Next] [Bottom]

spider@livingston.com