Figure 8-1 Input and Output Filters
Command> add filter Filtername
Command> set filter Filtername RuleNumber permit |deny [Ipaddress/NM Ipaddress(dest)/NM] [protocol Number] [log ] [notify]
Command> set filter Filtername RuleNumber permit |deny [Ipaddress/NM Ipaddress(dest)/NM] icmp [type Itype] [log ]
Command> set filter Filtername RuleNumber permit |deny [Ipaddress/NM Ipaddress(dest)/NM] tcp [src eq |lt |gt Tport] [dst eq |lt |gt Tport] [established ] [log ]
Command> set filter Filtername RuleNumber permit |deny [Ipaddress/NM Ipaddress(dest)/NM] udp [src eq |lt |gt Uport] [dst eq |lt |gt Uport] [established ] [log ]
Command> set ipxfilter Filtername RuleNumber permit |deny [srcnet Ipxnetwork] [srchost Ipxnode] [srcsocket eq |gt |lt Ipxsock] [dstnet Ipxnetwork] [dsthost Ipxnode] [dstsocket eq |gt |lt Ipxsock]
Command> set sapfilter Filtername RuleNumber permit |deny [server String][network Ipxnetwork] [host Ipxnode] [socket eg |gt|lt Ipxsock]
Note ¯ Any packet that is not explicitly permitted by a filter is denied, except for the special case of a filter with no rules, which permits everything.
Command> set filter simple 1 permit udp dst eq 53
Command> set filter simple 2 permit tcp dst eq 25
Command> set filter simple 3 permit icmp
Command> set filter simple 4 permit 0.0.0.0/0 192.168.1.3/32 tcp dst eq 21
Command> set filter simple 5 permit tcp src eq 20 dst gt 1023
Command> set filter internet.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter internet.in 2 permit tcp estab
Command> set filter internet.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.4/32 tcp dst eq 21
Command> set filter internet.in 5 permit tcp 0.0.0.0/0 192.168.0.5/32 dst eq 80
Command> set filter internet.in 6 permit tcp src eq 20 dst gt 1023
Command> set filter internet.in 7 permit udp dst eq 53
Command> set filter internet.in 8 permit tcp dst eq 53
Command> set filter internet.in 9 permit icmp
Caution ¯ This configuration is not recommended if you run any of the following protocols on any of the hosts from which you allow FTP access: NFS, X, RPC, or any other service that listens on ports above 1023.
Command> set filter internet.in 1 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq 20 dst gt 1023
Command> set filter internet.in 2 permit 0.0.0.0/0 192.168.0.1/32 tcp src eq 21 estab
Command> set filter internet.in 3 permit 0.0.0.0/0 172.16.0.2/32 tcp dst eq 21
Command> set filter internet.in 4 permit 0.0.0.0/0 172.16.0.2/32 tcp src gt 1023 dst eq 20 estab
Command> set filter internet.out 1 permit 192.168.0.1/32 0.0.0.0/0 tcp dst eq 21
Command> set filter internet.out 2 permit 192.168.0.1/32 0.0.0.0/0 tcp src gt 1023 dst eq 20 estab
Command> set filter internet.out 3 permit 172.16.0.2/32 0.0.0.0/0 tcp src eq 20 dst gt 1023
Command> set filter internet.out 4 permit 172.16.0.2/32 0.0.0.0/0 tcp src eq 21 dst gt 1023 estab
Command> set filter Filtername RuleNumber permit udp src eq 53
Command> set filter Filtername RuleNumber permit 172.16.0.0/32 192.168.0.0/32 udp dst eq 520
Command> set filter Filtername RuleNumber permit tcp dst eq 113
Command> set filter Filtername RuleNumber permit 172.16.12.0/24 192.168.1.0/24
Caution ¯ Beware of associative trust. If you allow a network complete access to your network, you might unknowingly allow other networks complete access, as well. Any network that can access a network having complete access privileges to your network, also has access to your network. For example, if Network 1 trusts Network 2 and Network 2 trusts Network 3, then Network 1 trusts Network 3.
Note ¯ Even if you have the latest versions of the daemons ftpd , httpd , and sendmail you might be vulnerable to attacks through these services. Check the latest CERT Coordination Center advisories, available on ftp.cert.org , for the vulnerabilities of these services.
Command> set filter restrict.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Command> set filter restrict.in 2 permit 0.0.0.0/0 10.0.0.3/32 tcp estab
Command> set filter restrict.in 3 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 21
Command> set filter restrict.in 4 permit 0.0.0.0/0 10.0.0.3/32 tcp src eq 20 dst gt 1023
Command> set filter restrict.in 5 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 119
Command> set filter restrict.in 6 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 25
Command> set filter restrict.in 7 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 80
Command> set filter restrict.in 8 permit 0.0.0.0/0 10.0.0.3/32 udp dst eq 53
Command> set filter restrict.in 9 permit 0.0.0.0/0 10.0.0.3/32 tcp dst eq 53
Command> set filter restrict.in 10 permit 0.0.0.0/0 10.0.0.3/32 icmp
2. The host address is compared against the access filter.
3. If the address is permitted by the filter, the connection is established.
4. If the address is not permitted, the connection is denied unless access override is enabled.
1. Access is denied by the access filter.
2. The user is prompted for a username and password.
3. The user is verified by the user table or RADIUS.
4. The access filter defined for this user is used to determine if the user has permission to access the specified host.