Manualshelf

User guide

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
101102103104105106107108109110
Chapter 4. Configuring Special Features 105
action is for packets coming from the local protected network; it passes the packet to IPSec so it can be
encrypted and sent to the other IPSec gateway.
Although filters are the mechanism by which packets are passed to IPSec, it is recommended that you use
IKE, rather than your own filters, to manage your IP Security (see IPSec (Internet Protocol Security), page
119).
IP Filter Commands
To define and manage IP filters on an Ethernet interface, use the command eth ip filter. To define and manage IP
filters on the remote interface, use the command remote ipfilter. For more information on these commands, see
ETH IP FILTER, page 172 and REMOTE IPFILTER, page 191.
Special Notes
IP filters of Input type are checked before the IP packet is redirected by ICMP. This could adversely affect local
LANs that use ICMP redirect to dynamically learn IP routes. IP filters of Input type are checked before the IP
packet is sent to the router itself as a host.
Example:
The following commands stop any attempt by a host coming from the remote Internet from sending an IP packet
to the Telnet port. Hence, the router does not see the packet, and the packet is not forwarded.
remote ipfilter insert input drop -p tcp -dp 23 internet
save
These commands stop any attempt by a host coming from the remote internet from sending an IP packet to the
Telnet port ÒthroughÓ the router to a different interface. The router itself could still receive the IP packet, hence
the remote host could Telnet to the router itself.
remote ipfilter insert forward drop -p tcp -dp 23 internet
save