Filter Notes


94/3/8, last modified August 18,1999 

EXAMPLE NUMBER ONE:

This example is for a hardwired network interface on port S1; if you use dial on demand you should add the filter to the appropriate location and netuser table entries.  For location internet and netuser internet use Command> set internet ifilter internet.in  and Command> set user internet ifilter internet.in after the commands shown below in this example. 

In this example use the fictional domain example.com with a class C network of IP 192.9.200.0. The ftp server will be  ftp.example.com, and nameserver at ns.example.com.  The Lucent IRX router will use gw.example.com with the service provider router as gw.isp.net. The IP 192.9.200.0 should be replaced by your own network number. All  hostnames should be replaced by the real hostnames or IP addresses. 

Command> add filter internet.in
Command> set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0 
Command> set filter internet.in 2 permit tcp estab
Command> set filter internet.in 3 permit udp dst eq 53
Command> set filter internet.in 4 permit tcp dst eq 53
Command> set filter internet.in 5 permit tcp dst eq 25
Command> set filter internet.in 6 permit icmp
Command> set filter internet.in 7 permit 0.0.0.0/0
ftp.example.com/32 tcp dst eq 21
                        
Command> set filter internet.in 8 permit tcp src eq 20 dst gt 1023
Command> set s1 ifilter internet.in
Command> save all
Command> reset s1
  1. Block any incoming packets claiming to be from your own network 
  2. Allow any outgoing Transmission Control Protocol (TCP) connections 
  3. Allow Domain Name service queries both ways 
  4. Allow Domain Name service zone transfers 
  5. Allow mail both ways 
  6. Allow ICMP (ping) both ways 
  7. Allow anyone to FTP to our FTP host 
  8. Allow us to FTP files from the Internet (this is potentially risky) 

If your Domain Name Server (DNS) is on the outside of your local network, add a line similar to:   Command> set filter internet.in 9 permit udp src eq 53.  You may want to add an output filter similar to the examples below:

Command> add filter internet.out
Command> set filter internet.out 1 deny 0.0.0.0/0 192.9.200.0/24
Command> set filter internet.out 2 permit tcp
Command> set filter internet.out 3 permit udp src eq 53  
Command> set filter internet.out 4 permit udp dst eq 53
Command> set filter internet.out 5 permit gw.example.com/
32 gw.isp.net/32 udp dst eq 520

Command> set filter internet.out 6 permit icmp
Command> set s1 ofilter internet.out
Command> save all
Command> reset s1

To listen for Routing Information Protocol (RIP) information add the following: 

Command> set filter internet.in 10 permit gw.isp.net/
32 gw.example.com/32 udp dst eq 520

To allow auth (RFC 931) queries (used by  some mailers and FTP servers ) add a filter like the one shown in the following example: 

Command> set filter internet.in 10 permit tcp dst eq 113

"Rules" are applied in the order given.  You may either permit or deny. Anything not permitted is denied at the end. 

To maximize security it is recommended that hosts be limited in their functions. For example: have Domain Name Service (DNS) and Simple Mail Transfer Protocol (SMTP) interchange with the internet to a single well secured host that your internal hosts may use for access. 

Hosts may be specified as  names or IP addresses. You may also specify subnets.  To allow one subnet to have complete access to the network,  add a rule to internet.in as shown in the example below:

Command> permit 192.187.195.0/24 192.9.200.0/24

In Release 3.0 you can route and filter IPX, and outgoing SAP. 

Filters may be set on incoming packets and/or outgoing packets on each port (or ethernet). Filtering incoming packets is safer than filtering outgoing packets, for two reasons 1)  The interface that the packet is coming in on is known.  2) The Router can be protected with a filter. Routers manufactured by other venders that only allow filtering of outgoing packets are vulnerable to attack on the router. 

EXAMPLE NUMBER TWO:

This example shows a basic firewall filter used with a bastion host and a Lucent IRX-111(TM) router connected to the internet on port S1. 

This example is for a hardwired network interface on port S1; if  dial on demand  add the filter to the appropriate location and netuser table entries.  For location internet and netuser internet you would do enter Command> set internet ifilter internet.in  and Command> set user internet ifilter internet.in  after doing the entering the commands from example below.

This example allows any kind of outgoing connection from the bastion host, blocks all incoming traffic to any host but the bastion, and allows the following incoming traffic to the bastion: Simple Mail transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), Domain Name Service (DNS), File Transfer Protocol ( FTP) and Internet Control Message Protocol ( ICMP). Note:   Unless you have the latest versions of ftpd and sendmail you may be vulnerable to attacks through those ports. 

The name bastion below should be replaced by the IP address or hostname of the bastion host. 

Command> add filter internet.in
Command> set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0 
Command> set filter internet.in 2 permit 0.0.0.0/0 bastion/
32 tcp estab
Command> set filter internet.in 3 permit 0.0.0.0/0 bastion/
32 tcp dst eq 21
Command> set filter internet.in 4 permit 0.0.0.0/0 bastion/
32 tcp src eq 20 dst gt 1023
Command> set filter internet.in 5 permit 0.0.0.0/0 bastion/
32 tcp dst eq 119
Command> set filter internet.in 6 permit 0.0.0.0/0 bastion/
32 tcp dst eq 25
Command> set filter internet.in 7 permit 0.0.0.0/0 bastion/
32 udp dst eq 53
Command> set filter internet.in 8 permit 0.0.0.0/0 bastion/
32 tcp dst eq 53
Command> set s1 ifilter internet.in
Command> save all
Command> reset s1
  1. Block any incoming packets claiming to be from your own network 
  2. Allow any established TCP connections back into the bastion (you may want to limit this further by putting deny commands ahead of it) 
  3. Allow anyone to FTP to the bastion 
  4. Allow bastion to FTP things from the Internet (this is potentially risky) 
  5. Allow incoming news (NNTP) to the bastion 
  6. Allow incoming mail (SMTP) to the bastion 
  7. Allow Domain Name service queries to the bastion 
  8. Allow Domain Name service zone transfers from the bastion to others