>I have a question about IP filtering on the P50. Basically, what I >want to do is set it up as a simple packet-level firewall. > > Essentially: > > - Allow ARP/ICMP/PING packets > - Allow TCP/UDP traffic to ports > 1023 > - Allow HTTP, SMTP, NNTP, DNS, and a couple of others > - Block everything else inbound from the net
[I wrote some filters to try and accomplish this. Here's the output from a "Save Cfg" command (if loaded into a P-50 with "Restore Cfg", this will be filter #4, called "Inet firewall"). I applied it to the BRI, in the default connection profile. -ddl]
START=FILT=200=3 Name=Inet firewall In filter 01...Valid=Yes In filter 01...Type=IP In filter 01...Generic...Forward=Yes In filter 01...Ip...Forward=Yes In filter 01...Ip...Protocol=6 In filter 01...Ip...Dst Port Cmp=Eql In filter 01...Ip...Dst Port #=25 In filter 02...Valid=Yes In filter 02...Type=IP In filter 02...Generic...Forward=Yes In filter 02...Ip...Forward=Yes In filter 02...Ip...Protocol=6 In filter 02...Ip...Dst Port Cmp=Eql In filter 02...Ip...Dst Port #=80 In filter 03...Valid=Yes In filter 03...Type=IP In filter 03...Generic...Forward=Yes In filter 03...Ip...Forward=Yes In filter 03...Ip...Protocol=6 In filter 03...Ip...Dst Port Cmp=Eql In filter 03...Ip...Dst Port #=119 In filter 04...Valid=Yes In filter 04...Type=IP In filter 04...Generic...Forward=Yes In filter 04...Ip...Forward=Yes In filter 04...Ip...Protocol=6 In filter 04...Ip...Dst Port Cmp=Eql In filter 04...Ip...Dst Port #=53 In filter 05...Valid=Yes In filter 05...Type=IP In filter 05...Generic...Forward=Yes In filter 05...Ip...Forward=Yes In filter 05...Ip...Protocol=17 In filter 05...Ip...Dst Port Cmp=Eql In filter 05...Ip...Dst Port #=53 In filter 06...Valid=Yes In filter 06...Type=IP In filter 06...Generic...Forward=Yes In filter 06...Ip...Forward=Yes In filter 06...Ip...Protocol=6 In filter 06...Ip...Dst Port Cmp=Gtr In filter 06...Ip...Dst Port #=1023 In filter 07...Valid=Yes In filter 07...Type=IP In filter 07...Generic...Forward=Yes In filter 07...Ip...Forward=Yes In filter 07...Ip...Protocol=17 In filter 07...Ip...Dst Port Cmp=Gtr In filter 07...Ip...Dst Port #=1023 In filter 08...Valid=Yes In filter 08...Type=IP In filter 08...Generic...Forward=Yes In filter 08...Ip...Forward=Yes In filter 08...Ip...Protocol=6 In filter 08...Ip...TCP Estab=Yes In filter 09...Valid=Yes In filter 09...Type=IP In filter 09...Generic...Forward=Yes In filter 09...Ip...Forward=Yes In filter 09...Ip...Protocol=1 In filter 10...Valid=Yes In filter 10...Generic...Forward=Yes In filter 10...Generic...Offset=12 In filter 10...Generic...Length=4 In filter 10...Generic...Mask=ffff000000000000 In filter 10...Generic...Value=0806000000000000 END=FILT=200=3In order, this filter should permit incoming:
Go to Previous Question
Go to Next Question
Go to Table of Contents