User manual
Packet Filters 8-1
5
Input Filters vs. Output Filters
When possible, use the input filter to filter an incoming packet
rather than waiting to catch a packet as it attempts to exit the
NETServer. This is recommended because:
• A packet is prevented from entering the NETServer,
keeping potential intruders from attacking the NETServer
itself.
• The NETServer routing engine does not waste time
processing a packet that is going to be discarded anyway.
• Most importantly, the NETServer does not know which
interface an outgoing packet came in through. If a potential
intruder forges a packet with a false source address (in
order to appear as a trusted host or network), there is no
way for an output filter to tell if that packet came in through
the wrong interface. An input filter, on the other hand, can
filter out packets purporting to be from networks that are
actually connected to a different interface.
User Filters
You can configure user filters for a specific user that control
access to the network for that user. This filter is only applied for
the duration of the user’s network connection. As with interface
filters, a user filter can be configured as an input, output or call
filter.
Assigning Filters
You can assign filters to interfaces and/or users using CLI
commands. This section describes:
• Assigning a filter to an interface
• Assigning a filter to a user profile
• Setting filter access