3Com 3C421600A, Руководство по управлению

Страница: 230 / 300

228 C
HAPTER
14: H
ANDLING
P
ACKET
F
ILTERS
Call Filters
If a call filter is configured on an interface, all transmitted packets are
checked against the filtering rules. The filtering rules determine whether
the packet can initiate an outgoing call. Call filters are checked only after
the packet has passed the output filter check. An interface without a call
filter configured will allow packets from all properly configured users to
initiate an outgoing call.
This filter is used for an ondemand call only.
Input Filters vs. Output Filters
When possible, use the input filter to filter an incoming packet rather
than wait to catch a packet as it attempts to exit. This is recommended
for the following reasons:
■
A packet is prevented from entering, keeping potential intruders from
attacking the RAS 1500.
■
The routing engine does not waste time processing a packet that is
going to be discarded anyway.
■
Most importantly, the RAS 1500 does not know which interface an
outgoing packet came in through. If a potential intruder forges a
packet with a false source address (to appear as a trusted host or
network), there is no way for an output filter to tell if that packet
came in through the wrong interface. An input filter, however, can
filter out packets purporting to be from networks that are actually
connected to a different interface.
User Filters You can configure filters for a specific user to control network access for
that user. This filter type is applied for the duration of the user network
connection only. As with interface filters, a user filter can be configured
as an input, output, or call filter. Remember, input filters handle data
from a user, while output filters handle data to a user.
User filters are dynamic only via RADIUS. Filter access must be turned ON
before the user connects and attempts a RADIUS request for filters.