I have a PM2E/20+ISDN, and a Cisco Router. The customer has a Compatible
Systems MR900i router (yuk) This is a dialup V.34 customer, but we are
upgrading July 1 to a 128K ISDN connection (Using our NEW 5-BRI card for you
guys, that works SLICK BTW!)
My Class C: 206.115.32.0/255.255.255.0
My PM2E: 206.115.32.12
My Cisco: 206.115.32.1
His Class C: 206.115.62.0/255.255.255.0
His Router: 206.115.62.1/255.255.255.0
His PPP: 206.115.32.65/255.255.255.0
His FTP: 206.115.62.15/255.255.255.0
His NS1: 206.115.62.15/255.255.255.0
His SMTP/POP:206.115.62.15/255.255.255.0
He has 186 machines on his net. He wants to keep his employees
from doing anything on the net except:
mail
web
ftp
dns
pings
traceroute
archie
gopher
I have the following route in my PM2E: 206.115.62.0 206.115.32.65 1 (For his
Class C)
FILTER: usi.in
==============
deny 206.115.62.0/24 0.0.0.0/0
permit tcp estab
permit udp dst eq 53
permit tcp dst eq 53
permit tcp dst eq 25
permit icmp
permit 0.0.0.0/0 206.115.62.15/32 tcp dst eq 21
permit tcp src eq 20 dst gt 1023
permit udp src eq 53
FILTER: usi.out
===============
deny 0.0.0.0/0 206.115.62.0/24
permit tcp
permit udp src eq 53
permit udp dst eq 53
permit 206.115.62.1/32 206.115.32.1/32 udp dst eq 520
permit icmp
permit 206.115.32.1/32 206.115.62.1/32 udp dst eq 520
permit tcp dst eq 113
/etc/raddb/users
================
Pultrascan Password = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 206.115.32.65,
Framed-Netmask = 255.255.255.0,
Framed-Routing = "206.115.62.0 206.115.32.65 1",
Framed-Compression = Van-Jacobsen-TCP-IP,
Framed-MTU = 1500,
Framed-Filter-Id = "usi",
Port-Limit = 2
------------------------------
From: MegaZone <megazone@livingston.com>
Date: Thu, 13 Jun 1996 14:43:07 -0700 (PDT)
Subject: Filter Table (fwd)
Once upon a time Thomas Mullaney shaped the electrons to say...
>I have on company that want to restrict all incoming/outgoing
>packets of a certain type from the network.
>
>The class C they have is 206.115.62.0
>
>They want to filter out everything but the following:
>
>mail
>web
>ftp
>dns
>pings
>traceroute
>archie
>gopher
>
>from every address on the network
>
>I have tried and failed! Please Help
This is relatively simple - chapter 10 of the Config Guide covers this
quite effectively IMHO. And here is another angle on it:
Filters
This example is for a hardwired network interface on port S1; if you
use dial on demand you should add the filter to the appropriate
location and netuser table entries (e.g. for location internet and
netuser internet you would do "set internet ifilter internet.in" and
"set user internet ifilter internet.in" after doing the following commands).
In this example we'll use the fictional domain example.com using the
class C network 192.9.200.0, with a ftp server at ftp.example.com, a
nameserver at ns.example.com, the IRX itself as gw.example.com with the
service provider's router as gw.isp.net. 192.9.200.0 should be
replaced by your own network number and all the hostnames should be
replaced by the real hostnames or IP addresses.
add filter internet.in
set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0
set filter internet.in 2 permit tcp estab
set filter internet.in 3 permit udp dst eq 53
set filter internet.in 4 permit tcp dst eq 53
set filter internet.in 5 permit tcp dst eq 25
set filter internet.in 6 permit icmp
set filter internet.in 7 permit 0.0.0.0/0 ftp.example.com/32 tcp dst eq 21
set filter internet.in 8 permit tcp src eq 20 dst gt 1023
set s1 ifilter internet.in
save all
reset s1
1. Block any incoming packets claiming to be from your own network
2. Allow any outgoing TCP connections
3. Allow Domain Name service queries both ways
4. Allow Domain Name service zone transfers
5. Allow mail both ways
6. Allow ICMP (ping) both ways
7. Allow anyone to FTP to our FTP host
8. Allow us to FTP things from the Internet (this is potentially risky)
If your Domain Name Server is on the outside of your local net, you
need to add a line like this:
set filter internet.in 9 permit udp src eq 53
and you may then want to add an output filter like
add filter internet.out
set filter internet.out 1 deny 0.0.0.0/0 192.9.200.0/24
set filter internet.out 2 permit tcp
set filter internet.out 3 permit udp src eq 53
set filter internet.out 4 permit udp dst eq 53
set filter internet.out 5 permit gw.example.com/32 gw.isp.net/32 udp dst eq 520
set filter internet.out 6 permit icmp
set s1 ofilter internet.out
save all
reset s1
If you want to listen for RIP information you should add:
set filter internet.in 10 permit gw.isp.net/32 gw.example.com/32 udp dst eq 520
If you want to allow auth (RFC 931) queries in (which some mailers
and FTP servers use) you need to add a line like this:
set filter internet.in 10 permit tcp dst eq 113
The rules are applied in the order given, and you can either permit
or deny. Anything not permitted is denied at the end.
For greater security you should further limit which hosts can do what,
e.g. limit DNS and SMTP interchange with the internet to a single
well-secured host of yours, and have your internal hosts refer to that host.
You can specify hosts as IP addresses or as names. You can specify
subnets too; for example if we wanted to allow one subnet to have
complete access to our network, we could add a rule to internet.in like:
permit 192.187.195.0/24 192.9.200.0/24
In Release 3.0 you can route and filter IPX as well, and outgoing SAP.
You can set filters on incoming packets and/or outgoing packets on each
port (or ethernet). Filtering incoming packets is safer than filtering
outgoing packets, because 1) you know which interface that packet is
coming in on, and 2) you can protect the router itself with the filter.
Other vendors' routers that only allow filtering outgoing packets are
vulnerable to attack on the router itself.
EXAMPLE TWO
Here's a basic firewall filter for use with a bastion host and a
IRX-111 connected to the internet on port S1.
This example is for a hardwired network interface on port S1; if you
use dial on demand you should add the filter to the appropriate
location and netuser table entries (e.g. for location internet and
netuser internet you would do "set internet ifilter internet.in" and
"set user internet ifilter internet.in" after doing the following
commands).
This example allows any kind of outgoing connection from the bastion
host, blocks all incoming traffic to any host but the bastion, and
allows the following incoming traffic to the bastion: SMTP, NNTP, DNS,
FTP, ICMP. Note that unless you have the latest versions of ftpd and
sendmail you may be vulnerable to attacks through those ports.
The name bastion below should be replaced by the IP address or
hostname of the bastion host.
add filter internet.in
set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0
set filter internet.in 2 permit 0.0.0.0/0 bastion/32 tcp estab
set filter internet.in 3 permit 0.0.0.0/0 bastion/32 tcp dst eq 21
set filter internet.in 4 permit 0.0.0.0/0 bastion/32 tcp src eq 20 dst gt 1023
set filter internet.in 5 permit 0.0.0.0/0 bastion/32 tcp dst eq 119
set filter internet.in 6 permit 0.0.0.0/0 bastion/32 tcp dst eq 25
set filter internet.in 7 permit 0.0.0.0/0 bastion/32 udp dst eq 53
set filter internet.in 8 permit 0.0.0.0/0 bastion/32 tcp dst eq 53
set s1 ifilter internet.in
save all
reset s1
1. Block any incoming packets claiming to be from your own network
2. Allow any established TCP connections back into the bastion (you may want
to limit this further by putting deny commands ahead of it)
3. Allow anyone to FTP to the bastion
4. Allow bastion to FTP things from the Internet (this is potentially risky)
5. Allow incoming news (NNTP) to the bastion
6. Allow incoming mail (SMTP) to the bastion
7. Allow Domain Name service queries to the bastion
8. Allow Domain Name service zone transfers from the bastion to others
- -MZ
- --
Livingston Enterprises - Chair, Department of Interstitial Affairs
Phone: 800-458-9966 510-426-0770 FAX: 510-426-8951 megazone@livingston.com
For support requests: support@livingston.com <http://www.livingston.com/>
Snail mail: 6920 Koll Center Parkway #220, Pleasanton, CA 94566
------------------------------
<---- End Forwarded Message ---->