Filter
Top Products
The Configuration Tree Functions Firewall Configuration - Page 61
Match Data: The required resultant value of the Match Mask calculation
below. Note that the system pads the field with zeroes.
Match Mask: This is a byte pattern that is logically ANDed with the data filtered
from the packet. The result is compared against the contents of the Match Data
field.
Direction: This is the direction in which a session may be started if the filter finds
a match:
– Drop - no session permitted
– In - allow new sessions to be started from outside the local subnet only
– Out - allow sessions to be started only from the local subnet
– Bothway - allow sessions either way.
Note that the Monitor program can be used to identify which packets are being
blocked by the Firewall.
Examples
Note: All TCP/UDP applications are assigned an individual “port” number, used
to identify the type of service one system is requesting from another. The
Internet Assigned Numbers Authority publishes a list of these.
1. To access a web page that uses TCP Port 8000 instead of the more usual
Port 80, use the following:
– IP Protocol = 6 (TCP)
– Match Offset = 22
– Match Length = 2
– Match Data = 1F40 (8000 in hex)
– Match Mask = FFFF (FFFF.AND.filtered data = 1F40)
– Direction = Out
– Notes = Port 8000 Out
2. To allow all ports out (this also solves the problem in Example 1 but risks the
making of unintentional data calls):
– IP Protocol = 6 (TCP)
– Match Offset = 0
– Match Length = 0
– Match Data = 0
– Match Mask = 0
– Direction = Out
– Notes = All TCP Ports Out
3. To avoid Windows95 calling your ISP’s DNS to resolve local names:
– IP Protocol = 17 (UDP)
– Match Offset = 20
– Match Length = 4
– Match Data = 00890035
– Match Mask = FFFFFFFF
– Direction = Drop
– Notes = Drop NetBIOS to DNS
INDeX IPNC Cassette Administration Manual The Configuration Tree Functions - Page 61
38DHB0002UKDD – Issue 7 (22/11/02) Firewall Configuration