|
|
 |
IP Packet Filtering
Caution: IP packet filtering is intended
for advanced users only, and incorrect filter implementation may result
in blocking all router management capabilities. A working knowledge
of TCP/IP is highly recommneded.
Note: Using Dynamic Host Control Protocol (DHCP) assigned
IP addresses with IP packet filtering can cause problems. If a filter's
source or destination IP address is DHCP assigned, and the DHCP lease
time expires, then the source or destination is assigned a new IP address.
You will have to manually update your filter to reflect the new address.
Therefore, you should ensure that all IP addresses specified in a filter
are reserved or static addresses.
- Definitions for IP
Packet Filtering
- About Packet Filters
- Tips on Setting-up Packet
Filters
- Packet Filter Setup
Examples
- Block
Outgoing Access for One Workstation
- Block
Outgoing Access for a Range of Workstations
- Block
Outgoing Web (Http) Access for One Workstation
- Block Incoming
Access
- Appendix
A—Subnet Mask Table
- Appendix B—Well-Known
Ports, Protocols, and Applications
Definitions for IP Packet Filtering
| Source IP Address: |
A single or a range of IP address "From"
to be specified. |
| Destination IP Address: |
A single or a range of IP address "To"
to be specified. |
| Mask: |
A mask determines what subnet an IP address
belongs to. |
| TCP/IP Port: |
Number of port the server or application
is using. For example, HTTP (Web) is using port 80, and FTP is using
port 21. If "Any" is selected, all ports are selected. |
| Protocol Type: |
Type of protocol the server or application
is using. |
| Protocol Type: Any |
All Protocols are included |
| Protocol Type: TCP |
Used by FTP, Telnet, SMTP, whois, DNS,
Gopher, Finger, HTTP, and POPv3. |
| Protocol Type: UDP |
Used by DNS, SNMP, and RIP. |
| Protocol Type: ICMP |
Used by Ping. |
| True: |
All criteria are matched |
| False: |
One or more of the criteria are not matched |
| Pass: |
The packets will be passed through and
will trigger DOD (Dial-On-Demand), if a DOD profile has been defined. |
| Restrict: |
The packets will be dropped if an ISDN
connection does not exist. (The packets will not trigger DOD.)
The packets will be passed through if an ISDN connection exists.
|
| Discard: |
The packets will be discarded. |
| Go to Next Filter: |
Packets are being examined by current
filter and will be examined by the next filter in the sequence. |
About Packet Filters
- Up to 32 filters can be applied.
- Six default filters are built-in if the router is shipped with v4.0
from Arescom. The filters are designed to stop the Dial-On-Demand
from being triggered by NetBIOS over TCP/IP packets. The default filters
can be modified or deleted if preferred.
- Routers shipped previously with older firmware will not have the
six default filters when they are upgraded to v4.0 firmware.
- The six default filters are:
| |
Filter 1 |
Filter 2 |
Filter 3 |
| Source IP |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| Mask |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| TCP/IP Port |
Any |
Any |
Any |
| Protocol Type |
TCP |
UDP |
TCP |
| Destination IP |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| Mask |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| TCP/IP Port |
137 |
137 |
138 |
| If True Then |
Restrict |
Restrict |
Restrict |
| If False Then |
Go to Next Filter |
Go to Next Filter |
Go to Next Filter |
| |
Filter 4 |
Filter 5 |
Filter 6 |
| Source IP |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| Mask |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| TCP/IP Port |
Any |
Any |
Any |
| Protocol Type |
UDP |
TCP |
UDP |
| Destination IP |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| Mask |
0.0.0.0 |
0.0.0.0 |
0.0.0.0 |
| TCP/IP Port |
138 |
139 |
139 |
| If True Then |
Restrict |
Restrict |
Restrict |
| If False Then |
Go to Next Filter |
Go to Next Filter |
Pass |
Tips on Setting-up Packet Filters
IP Address and Mask
- A wild card "0.0.0.0" can be used in the IP Address and
Mask fields if the IP packet filter applies to all IP addresses.
- When applying an IP packet filter to only one IP address, a host
mask "255.255.255.255" must be entered in the Mask field.
- When applying an IP packet filter to a range of several IP addresses
within the same subnet, a calculated subnet mask can be entered in
the Mask field. Please refer to Appendix A—Subnet Mask Table.
TCP/IP Port
- The TCP/IP Port field can be entered as Any (all ports included),
as a pre-defined number, or as any number based on the user's needs.
Multiple Filter Entries
- If more than one filter has been entered, and if a sequence of packet
filters is desired, then the "If True" or "If False"
field must have the "Go to Next Filter" action selected
in every filter except the last one, otherwise the packets will not
be passed form one filter to the next.
- If the last filter (or the only filter, if only one filter has been
entered) does not have the "Go to Next Filter" action selected
in either "If True" or "If False" field, the packet
will be passed through. In other words, if the "Go to Next Filter"
action has been selected, and there is no additional filter entries,
then it behaves the same as "Pass" action.
Packet Filter Setup Examples
Block Outgoing Access
for One Workstation
If the network IP address range is from 192.168.1.1-254 with a subnet
mask 255.255.255.0, and you would like to block workstation with an
IP address 192.168.1.8, then you would use the following filter:
| Source IP |
192.168.1.8 |
| Mask |
255.255.255.255 |
| TCP/IP Port |
Any |
| Protocol Type |
Any |
| Destination IP |
0.0.0.0 |
| Mask |
0.0.0.0 |
| TCP/IP Port |
Any |
| If True Then |
Discard |
| If False Then |
Pass |
Tips
If the above filter is entered, this workstation will not have any
outgoing accessibility. If the purpose of the filter is to stop triggering
Dial-On-Demand (assuming one of the profiles has been defined as a
DOD profile) by this particular workstation, but its outgoing accessibility
is still preferred, change the "If True" field from "Discard"
to "Restrict".
Block
Outgoing Access for a Range of Workstations
If the network IP address range is from 192.168.1.1-254 with a subnet
mask 255.255.255.0, and you would like to block workstations with the
IP addresses 192.168.1.8-15, then you would use the following filter:
| Source IP |
192.168.1.8 |
| Mask |
255.255.255.248 |
| TCP/IP Port |
Any |
| Protocol Type |
Any |
| Destination IP |
0.0.0.0 |
| Mask |
0.0.0.0 |
| TCP/IP Port |
Any |
| If True Then |
Discard |
| If False Then |
Pass |
Tips
- Packet filtering calculation is based on the Mask THEN the IP
address. In other words, in the above example if the Mask 255.255.255.248
has been entered, the Source IP can be entered as any address between
192.168.1.8-15 (8 and 15 are included) and this 8-15 range will
be blocked. Please check the Appendix A—Subnet Mask Table for
the IP range and Mask value.
- If you only want to block a few workstations such as 2 or 3, you
might want to consider implementing a packet filter for each workstation.
However, if you want to block a large number of workstations then
it is easier to specify a Mask range.
Block Outgoing
Web (HTTP) Access for One Workstation
If the network IP address range is from 192.168.1.1-254 with a subnet
mask 255.255.255.0, and would like to block workstation with IP address
192.168.1.8, then you would use the following filter:
| Source IP |
192.168.1.8 |
| Mask |
255.255.255.255 |
| TCP/IP Port |
Any |
| Protocol Type |
TCP |
| Destination IP |
0.0.0.0 |
| Mask |
0.0.0.0 |
| TCP/IP Port |
80 |
| If True Then |
Discard |
| If False Then |
Pass |
Tips
- Other packets such as FTP and ICMP (Ping) can still get through.
- If blocking particular web sites such as adult sites is preferred,
enter the site's IP address in Destination IP field and 255.255.255.255
in Mask field.
- Finding out certain web site's IP address can be done by going
to MS-DOS mode and pinging the site's domain name. The site's IP
address will appear in the reply messages.
Block Incoming Access
If the network IP range is from 192.168.1.1-254 with a subnet mask
255.255.255.0, an FTP server on the network has an IP address 192.168.1.2,
and you would like it to be accessed only by an IP address range (workstations)
of 100.100.100.1-63, then you would use the following filter to block
all incoming access from Internet to an FTP server on the LAN except
from the specified workstations.
| Source IP |
100.100.100.0 |
| Mask |
255.255.255.192 |
| TCP/IP Port |
Any |
| Protocol Type |
TCP |
| Destination IP |
192.168.1.2 |
| Mask |
255.255.255.255 |
| TCP/IP Port |
21 |
| If True Then |
Pass |
| If False Then |
Discard |
Tips
Keep in mind the "Source IP" is the "From" IP
and the "Destination IP" is the "To" IP. In this
example the packets "From" 100.100.100.1-63 are allowed
"TO" 192.168.1.2.
Appendix A—Subnet
Mask Table
Appendix B—Well Known Ports,
Protocols, and Applications
| Port # |
Protocol |
Application |
| 20 |
TCP |
FTP data transfer |
| 21 |
TCP |
FTP control |
| 23 |
TCP |
Telnet |
| 25 |
TCP |
SMTP |
| 43 |
TCP |
whois |
| 53 |
TCP/UDP |
DNS |
| 70 |
TCP |
Gopher |
| 79 |
TCP |
Finger |
| 80 |
TCP |
HTTP |
| 110 |
TCP |
POPv3 |
| 161 |
UDP |
SNMP |
| 162 |
UDP |
SNMP-trap |
| 520 |
UDP |
RIP |
|
|
|
 |
