Operation Manual
Filters and Rules
NT/MPRI – 4 Special NT/MPRI Settings 54
l
Global Input Filter: checks packets arriving at the NT/MPRI from
any direction (from the LAN or from ISDN).
l Global Output Filter: checks packets about to be sent from the
NT/MPRI in any direction (to the LAN or to ISDN).
l Forwarding Filter: checks all packets being forwarded in the
NT/MPRI from one network to another (e.g. from the LAN to a re-
mote destination network or from one remote network to anoth-
er).
An illustration of the various filter instances is presented from page 53.
Filters and Rules
A filter is composed of the following components:
l An ordered sequence of rules.
l A default action which is performed on all packets for which no
rule in a profile applies.
l A logging instruction for packets handled by this rule. Log infor-
mation is used primarily to record attempts to “break into” the
LAN and, if possible, to trace the culprit.
Rules always consist of the following components:
l A description of the packet type to which the rule applies. This de-
scription entails three criteria which the NT/MPRI uses to check
whether the rule applies to a packet:
– Service: here you can specify all IP services, only certain ser-
vices (such as ftp or telnet), or just specific actions (such as ftp
access to the LAN from the Internet) as criteria.
– Source of the packet: defined as a particular network or a con-
crete host address.
– Destination of the packet: defined in the same way as the
source.
l One of three actions to be performed on packets to which the rule
applies:
– Accept: the packet is sent to the destination address specified
in the header or passed to the next filter.
– Deny: the packet is not sent on, but simply discarded.
ntmpri-e.book Seite 54 Donnerstag, 28. Februar 2002 11:26 11