Manualshelf

User Manual

ManualsBrandsLantronix ManualsComputers & AccessoriesLantronix Scs1600 Secure Consolesrvr 16- RJ45 Rs232 Ser to Enet 10/100 RJ45
181182183184185186187188189190
Security Examples
11-30
Prevents IP spoofing
Permits outgoing Telnet connections
Permits SMTP (Simple Mail Transfer Protocol) traffic to the local SMTP server, 192.0.1.102. The
backup SMTP server is 192.0.1.103
Permits NNTP (Network News Transfer Protocol) traffic between the local NNTP server,
192.0.1.104, and the remote NNTP server, 192.0.2.100
Permits outgoing FTP connections
Denies X-Windows traffic, but permits incoming TCP/IP traffic to ports 1023 and higher.
Permits DNS queries to the local Domain Name Server, 192.0.1.101
Permits ICMP (Internet Control Message Protocol) messages
Permits outgoing finger requests
The firewall will be named fw_i. Packets that do not specifically match the filters in fw_i will be denied
passage through the SCS.
Note: Due to the length of the commands in the following examples, the keywords
Define and Filter are shortened to Def and Filt.
The Set/Define Filter Create command is used to create the firewall.
Figure 11-58: Creating the Filter List
To prevent IP spoofing, the Define Filter Add Deny IP SRC command is used. This filter will block any
packets from an outside network that claim to have originated from the local network. This filter is placed
at the beginning of the filter list; if it were not, spoofed IP packets could be permitted passage by filters
positioned before this rule.
Figure 11-59: Preventing IP Spoofing
Note: The CERT advisory on IP spoofing is available from ftp://cert.org/pub/
cert_advisories/CA-95:01.IP.spoofing.
To permit outgoing Telnet connections initiated from the local network, the following command is used:
Figure 11-60: Permitting Outgoing Telnet Connections
Local>> DEF FILT fw_i CREATE
Local>> DEF FILT fw_i ADD DENY IP SRC 255.255.255.0 192.0.1.0
Local>> DEF FILT fw_i ADD ALLOW IP TCP SPORT EQ TELNET DPORT GT 1023 ACK