8-72 User’s Reference Guide
This header information is what the packet filter uses to make filtering decisions. It is impor tant to note that an
IP packet filter does not look into the IP data stream (the User Data from above) to make filtering decisions.
Generic filters can look into the data.
B
B
B
Baa
a
assssiiiicccc p
p
p
prrrro
o
o
otttto
o
o
occcco
o
o
ollll ttttyyy
yp
p
p
pee
e
essss
TCP
: Transmission Control Protocol. TCP provides reliable packet deliver y and has a retransmission
mechanism (so packets are not lost). RFC 793 is the specification for TCP.
UDP
: User Datagram Protocol. Unlike TCP, UDP does not guarantee reliable, sequenced packet deliver y. If data
does not reach its destination, UDP does not retransmit the data. RFC 768 is the specification for UDP.
There are many more por ts defined in the Assigned Addresses RFC. The tables on
page 8-66
show some of
these por t assignments.
FFF
Fiiiillllttttee
e
errrr LLL
Lo
o
o
og
g
g
giiiicccc
Filter design is a test of logic, and filter rule ordering is critical. If a packet is passed through a series of filter
rules and then the packet matches a rule, the appropriate action is taken. The packet will not pass through the
remainder of the filter rules.
For example, if you had the following filter set...
Allow WWW access;
Allow FTP access;
Allow SMTP access;
Deny all other packets.
and a packet goes through these rules destined for FTP, the packet would pass through the first rule (WWW), go
through the second rule (FTP), and match this rule; the packet is allowed through.
If you had this filter set for example....
Allow WWW access;
Allow FTP access;
Deny FTP access;
Deny all other packets.
and a packet goes through these rules destined for FTP, the packet would pass through the first filter rule
(WWW), match the second rule (FTP), and the packet is allowed through. Even though the next rule is to deny all
FTP traffic, the FTP packet will never make it to this rule.
B
B
B
Biiiin
n
n
naa
a
arrrryyy
y rrrree
e
ep
p
p
prrrree
e
essssee
e
en
n
n
nttttaa
a
attttiiiio
o
o
on
n
n
n
It is easiest when doing filtering to conver t the IP address and mask in question to binar y. This will allow you to
per form the logical AND to determine whether a packet matches a filter rule.
LLL
Lo
o
o
og
g
g
giiiiccccaa
a
allll A
A
A
AN
N
N
ND
D
D
D ffffu
u
u
un
n
n
nccccttttiiiio
o
o
on
n
n
n
When a packet is compared (in most cases) a logical AND function is per formed. First the IP addresses and
subnet masks are conver ted to binar y and then combined with AND. The rules for the logical use of AND are as
follows:
Содержание D3100-I
Страница 1: ...Netopia D Series DSL DSUs D3100 I IDSL D3232 IDSL D7100 SDSL D7171 SDSL User s Reference Guide ...
Страница 8: ...viii User s Reference Guide ...
Страница 10: ...User s Reference Guide ...
Страница 14: ...1 14 User s Reference Guide ...
Страница 20: ...2 20 User s Reference Guide ...
Страница 26: ...3 26 User s Reference Guide ...
Страница 32: ...4 32 User s Reference Guide ...
Страница 34: ...User s Reference Guide ...
Страница 90: ...8 90 User s Reference Guide ...
Страница 104: ...User s Reference Guide ...
Страница 110: ...A 110 User s Reference Guide ...
Страница 114: ...B 114 User s Reference Guide ...
Страница 118: ...C 118 User s Reference Guide ...
Страница 132: ...132 User s Reference Guide ...
Страница 136: ...Index 136 ...
Страница 138: ...138 User s Reference Guide ...