Product specifications
Efficient Networks
®
Router family
Technical Reference Guide
Chapter 5: System Security
Efficient Networks
®
Page 5-25
Output Filters
Finally, the router compares the packet to the list of output filters for this interface. The
first filter that matches the packet determines whether the packet is accepted,
dropped, or rejected. If no filter matches the packet, the packet is accepted.
The packet, if accepted, is then sent out the interface.
NOTE:
If Network Address Translation is disabled, the Output filter list is checked
immediately after the Transmit filter list. In this case, identical Transmit and Output
filters have the same effect
Filter Actions
A filter action can be applied to a packet at each of the four filtering points (Input,
Receive, Transmit, and Output). If, at that point, a given filter is the first filter in the list
to match that packet, the action specified by that filter determines the fate of the
packet. The possible filter actions are:
IP Filter Commands
To define and manage IP filters on an Ethernet interface, use the eth ip filter
command. To define and manage IP filters on the remote interface, use the remote
ipfilter command.
ICMP Redirect
IP filters of Input type are checked before the IP packet is redirected by ICMP. This
could adversely affect local LANs that use ICMP redirect to dynamically learn IP
routes. IP filters of Input type are checked before the IP packet is sent to the router
itself as a host.
Accept The router lets the packet proceed for further processing.
Drop The router discards the packet.
Reject The router sends an ICMP REJECT (Internet Control Management
Protocol) to reject the packet.
Pass to IPSecTwo actions - inipsec and outipsec - pass the packet to IPSec for fur-
ther processing. The inipsec action is for packets coming from the oth-
er IPSec gateway; it passes the packet to IPSec for decrypting. The
outipsecaction is for packets coming from the local protected network;
it passes the packet to IPSec so it can be encrypted and sent to the
other IPSec gateway.
Although filters are the mechanism by which packets are passed to IP-
Sec, it is recommended that you use IKE, rather than your own filters,
to manage your IP security (see “IPSec (Internet Protocol Security)”
on page 5-50).