Product specifications

Chapter 5: System Security Efficient Networks
®
Router family
Technical Reference Guide
Page 5-26 Efficient Networks
®
Filter Examples
Example 1: Input Filters Vs. Receive Filters
The following commands add a filter to the beginning of the Input Filters list.
-> remote ipfilter insert input drop -p tcp -dp 23 internet
When used, the input filter matches any packet for remote interface internet that has
protocol TCP and destination port 23. The packets are checked before Network
Address Translation, if any; any packets that match the filter are dropped. Thus, this
filter stops any attempt by a host coming from the remote internet from sending an IP
packet to the Telnet port. The router does not see the packet, and the packet is not
forwarded.
Consider, next, the following commands that add a filter identical to the above filter to
the beginning of the Receive Filters list:
-> remote ipfilter insert receive drop -p tcp -dp 23 internet
In the following cases, the Receive filter has the same effect as the Input filter:
If Network Address Translation is disabled.
If Network Address Translation is enabled and the Telnet public port is
mapped to the Telnet private port by a remote addserver command, such as
the following:
-> remote addserver 10.0.1.1 tcp telnet internet
However, the Receive filter does not have the same effect as the Input filter in the
following case:
If Network Address Translation is enabled and another public port is mapped
to the Telnet private port. For example, the following command maps the
public port 2000 to the Telnet private port:
-> remote addserver 10.0.1.1 tcp 2000 2000 telnet internet
In this case, Network Address Translation would translate the packets with port 2000
to the Telnet port and the Receive filter would drop those packets.
For more information, see Network Address Translation (NAT) on page 4-17 and the
remote addserver command.
Example 2: Filters That Allow Traffic To, But Not Through
Suppose you wanted to allow Telnet packets destined for the router itself, but drop
any Telnet packets destined for another interface. This requires two filters. The first
filter allows Telnet traffic to the IP address of the router (in this example, 10.0.1.1).
The second filter drops all other Telnet traffic.