Filter Notes94/3/8, last modified August 18,1999 EXAMPLE NUMBER ONE:This example is for a hardwired network interface on port S1; if you use dial on demand you should add the filter to the appropriate location and netuser table entries. For location internet and netuser internet use Command> set internet ifilter internet.in and Command> set user internet ifilter internet.in after the commands shown below in this example. In this example use the fictional domain example.com with a class C network of IP 192.9.200.0. The ftp server will be ftp.example.com, and nameserver at ns.example.com. The Lucent IRX ® router will use gw.example.com with the service provider router as gw.isp.net. The IP 192.9.200.0 should be replaced by your own network number. All hostnames should be replaced by the real hostnames or IP addresses. Command> add filter internet.in Command> set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0 Command> set filter internet.in 2 permit tcp estab Command> set filter internet.in 3 permit udp dst eq 53 Command> set filter internet.in 4 permit tcp dst eq 53 Command> set filter internet.in 5 permit tcp dst eq 25 Command> set filter internet.in 6 permit icmp Command> set filter internet.in 7 permit 0.0.0.0/0 ftp.example.com/32 tcp dst eq 21 Command> set filter internet.in 8 permit tcp src eq 20 dst gt 1023 Command> set s1 ifilter internet.in Command> save all Command> reset s1
If your Domain Name Server (DNS) is on the outside of your local network, add a line similar to: Command> set filter internet.in 9 permit udp src eq 53. You may want to add an output filter similar to the examples below: Command> add filter internet.out Command> set filter internet.out 1 deny 0.0.0.0/0 192.9.200.0/24 Command> set filter internet.out 2 permit tcp Command> set filter internet.out 3 permit udp src eq 53 Command> set filter internet.out 4 permit udp dst eq 53 Command> set filter internet.out 5 permit gw.example.com/ 32 gw.isp.net/32 udp dst eq 520 Command> set filter internet.out 6 permit icmp Command> set s1 ofilter internet.out Command> save all Command> reset s1 To listen for Routing Information Protocol (RIP) information add the following: Command> set filter internet.in 10 permit gw.isp.net/ 32 gw.example.com/32 udp dst eq 520 To allow auth (RFC 931) queries (used by some mailers and FTP servers ) add a filter like the one shown in the following example: Command> set filter internet.in 10 permit tcp dst eq 113 "Rules" are applied in the order given. You may either permit or deny. Anything not permitted is denied at the end. To maximize security it is recommended that hosts be limited in their functions. For example: have Domain Name Service (DNS) and Simple Mail Transfer Protocol (SMTP) interchange with the internet to a single well secured host that your internal hosts may use for access. Hosts may be specified as names or IP addresses. You may also specify subnets. To allow one subnet to have complete access to the network, add a rule to internet.in as shown in the example below: Command> permit 192.187.195.0/24 192.9.200.0/24 In Release 3.0 you can route and filter IPX, and outgoing SAP. Filters may be set on incoming packets and/or outgoing packets on each port (or ethernet). Filtering incoming packets is safer than filtering outgoing packets, for two reasons 1) The interface that the packet is coming in on is known. 2) The Router can be protected with a filter. Routers manufactured by other venders that only allow filtering of outgoing packets are vulnerable to attack on the router. EXAMPLE NUMBER TWO:This example shows a basic firewall filter used with a bastion host and a Lucent IRX-111(TM) router connected to the internet on port S1. This example is for a hardwired network interface on port S1; if dial on demand add the filter to the appropriate location and netuser table entries. For location internet and netuser internet you would do enter Command> set internet ifilter internet.in and Command> set user internet ifilter internet.in after doing the entering the commands from example below. This example allows any kind of outgoing connection from the bastion host, blocks all incoming traffic to any host but the bastion, and allows the following incoming traffic to the bastion: Simple Mail transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), Domain Name Service (DNS), File Transfer Protocol ( FTP) and Internet Control Message Protocol ( ICMP). Note: Unless you have the latest versions of ftpd and sendmail you may be vulnerable to attacks through those ports. The name bastion below should be replaced by the IP address or hostname of the bastion host. Command> add filter internet.in Command> set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0 Command> set filter internet.in 2 permit 0.0.0.0/0 bastion/ 32 tcp estab Command> set filter internet.in 3 permit 0.0.0.0/0 bastion/ 32 tcp dst eq 21 Command> set filter internet.in 4 permit 0.0.0.0/0 bastion/ 32 tcp src eq 20 dst gt 1023 Command> set filter internet.in 5 permit 0.0.0.0/0 bastion/ 32 tcp dst eq 119 Command> set filter internet.in 6 permit 0.0.0.0/0 bastion/ 32 tcp dst eq 25 Command> set filter internet.in 7 permit 0.0.0.0/0 bastion/ 32 udp dst eq 53 Command> set filter internet.in 8 permit 0.0.0.0/0 bastion/ 32 tcp dst eq 53 Command> set s1 ifilter internet.in Command> save all Command> reset s1
|