Configuring Packet and Service Filtering
50
PR2000 Installation Guide
8 Configuring Packet and Service Filtering
In this Chapter
This chapter explains how to configure the PR2000 and filter packets to
allow/deny access of specific hosts to specific network services. Packet and
service filtering has the function of helping to keep a secure network and its
configuration is optional.
8.1 What is Packet and Service Filtering?
Packet and Service filtering allows the PR2000 to filter out (block) packets that
do not satisfy a specific set of requirements. These requirements can be
defined based on the type of connection or on the source or destination network
address.
The definition of the filtering criteria is done through a set of access lists or
filter lists (from now on referred to as filters) which defines the packets that
are denied and permitted on each interface and for each protocol.
Because it has to be performed on a packet-by-packet basis, enabling filtering
has a potential impact on router performance. The PR2000 has CPU
processing power much greater than the average integrated router and no
performance impact should be expected in typical configurations with one LAN
(10BaseT) and any combination of low-speed WAN connections (up to 512
Kbps) or two high-speed WAN connection (1.5/2.0 MBPS). For configurations
with three high-speed WAN connections (simultaneous channels at 1.5Mbps+),
enabling complex filters has a potential impact in router throughput (which
depends on the number and complexity of the filters enabled).
The PR2000 allows the configuration of up to 32 filters. Each interface can use
any of the defined filters.
The filtering can be based on address, TCP port, or specific protocols.
A filter is composed by a series of rules. Simply put, a rule is a statement "if a
packet match <condition>, then <deny /permit> forwarding". Besides being able
to define the rules for each filter list, you can also define the "default scope"
("permit" or "deny").
