4-2
C
HAPTER
4: F
ILTERING
C
APABILITIES
■
Data filters
- based on protocol-specific packet information.
■
Generic filters
- based on packet structure.
Data Filters
Data filters control network access based on the protocol and source / destination
address of the packet.
Generic Filters
Generic filters are protocol-independent and are specified by byte and offset
values in a packet. Packets are filtered by comparing each packet’s offset value
and byte information with the values that you define in the filter. The bridge will
accept or reject the packet based on the result.
Creating generic filters can be a complex task. Only experienced users should
employ generic filters, and strictly in cases where data and advertising filters
cannot provide the filtering capabilities that you require.
Creating Filters
Before creating a filter file, you should carefully identify the information you want
to filter. Decide if you want a filter that discards packets (such as reject all packets
whose source MAC address is 002069000001) or accept only a subset of packets
(such as accept only bridged packets if the destination MAC address is
002069000001 or 002069000002). Also determine where you want to place the
filter. For example, figure out if you want to apply the filter to packets coming into
the Ethernet interface, to packets going out the WAN (ATM) interface, or to
packets coming from a specific port.
The first step in creating a filter on the 3Com HomeConnect ADSL Modem
Ethernet is to create a file using filter syntax. The file can be created using a text
editor on a remote workstation or it can be created using the CLI
create text
command. File names should be short and descriptive, such as BLOCKPC1.FLT.
The
create text
command simply redirects console input into a text file in the
unit’s FLASH memory. It does not provide any editing capabilities.
If you create the file on a remote workstation, you will need to transfer the file to
the unit’s FLASH memory using TFTP.
Once the filter file has been created and stored in the unit’s FLASH memory, you
then use CLI commands to add the filter to the list of filters and apply the filter to
the appropriate interface or bridge port profile.
Filter File Components
You define the filtering rules used by the bridge within filter files. Filter files are
text files that are stored in the unit’s FLASH memory. You can create and modify
filter files using an off-line text editor, then TFTPing the finished file on to the unit.
To be valid, a filter file must always have the following file descriptor on the first
line:
#filter
Be sure that no blank space precedes the descriptor, or an error will occur.
The file descriptor is followed by the bridge protocol section.
Protocol Sections/Bridge
The following conditions will generate errors or prevent normal filter operation: