Re: (ASCEND) filters

To: Paul Monaghan <paulm@ican.net>
Subject: Re: (ASCEND) filters
From: Tim Connolly <tec@mountain.net>
Date: Tue, 02 Dec 1997 13:13:44 -0500
CC: ascend-users@bungi.com
Organization: MountainNet, Inc. (Systems and Telecommunications Analyst)
References: <Pine.LNX.3.95.971202122040.5452A-100000@blackwidow.spider.org>
Sender: owner-ascend-users@max.bungi.com

Paul Monaghan wrote:

> Someone posted a quite clean and easy to understand way to create a filter
> for port 80 the other day and I accidently erased it.  Can someone send it
> to me again.
>
> Thanks
> Paul
>
> --
> Paul Monaghan (PM1819, paulm@ican.net)
> Technical Team Leader - Internet - ACC Telenterprises Ltd.
> bobCode: KItpd lWm EMC++ m7 CPE B0 Ol Lb SC Tx A5 H9o b2
>
> ++ Ascend Users Mailing List ++
> To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd:   <http://www.nealis.net/ascend/faq>

Subject:
        Re: (ASCEND) Assistance with Filters
   Date:
        Sat, 29 Nov 97 12:21:06 EST
   From:
        Tim Basher <basher@alpha.CES.CWRU.Edu>
     To:
        ascend-users@max.bungi.com




> I've tried to understand filters... but the manual is useless, and the web
> searching has produced little of use.

Well the manual seemed pretty clear to me.  What seems to be the problem?

If you just follow your own description of what you are trying to do, you
should be able to create the filter.

#1 - You are trying to create a filter so go to the filter profile.
     Main Edit Menu > Ethernet > Filters > [unused filter]

     Add a name for the filter [Name=HTTP block]

> I need to block all port 80 (web) OUTGOING (hmm why not incoming) traffic
> from a range of IP addresses... for example 203.xx.xx.21-79 which is the
> ip range of our 60 dialups.

#2 - You say you want an "OUTGOING" filter so select "Output filters..."
     Select the first unused filter [say "Out filter 01"]

     Enable it by making it a valid filter ["Valid=Yes"]
     You are trying to block TCP/IP packets so make it an IP filter ["Type=IP"]

#3 - You are trying to create an IP filter so select "Ip..."

     You say you want to block packets so you do not want to forward these
     packets ["Forward=No"]

     You say you do not want access to port 80 - this would be the destination
     port - the port the server is listening on.  ["Dst Port Cmp=Eql",
     "Dst Port #=80"]

     You say you do not want access for the "web", so this would be TCP,
     which is IP protocol 6 ["Protocol=6"]

     Since you are trying to block the initial connection TCP request,
     not just the packets within the connection, use "TCP Estab=No" -
     the default (no change needed).

     You say you want to block traffic "from" a set of addresses so you need
     to use the "Src Adrs" and "Src Mask" fields to add this specification.
     This is the only tricky part, since you are not trying to block a
     network or subnet but just an arbitrary range of addresses.  Your
     solutions are to (a) block a larger range of addresses (that matches
     a subnet) or (b) to use multiple rules that will block up to the full
     range or (c) to use multiple rules, one to block a larger range and
     then one or more to enable the necessary exceptions to the rule.

     I'll go the easy way and just block some extra addresses, since you
     want to "FORCE users" to use the web cache.

     You said "21-79".  This does not fall fully into either of the 6-bit
     subnets 0-63 or 64-127, so picking the 7-bit subnet of 0-127 seems the
     only choice.

     So you want to match "Src Mask=255.255.255.128" and "Src Adrs=203.xx.xx.0"

     And there you have your filter.

        90-504
         Ip...
          Forward=No
          Src Mask=255.255.255.128
          Src Adrs=203.129.22.0
          Dst Mask=0.0.0.0
          Dst Adrs=0.0.0.0
          Protocol=6
          Src Port Cmp=None
          Src Port #=N/A
          Dst Port Cmp=Eql
          Dst Port #=80
          TCP Estab=No

> (hmm why not incoming)

Which interface are you installing your filters on?

  LAN A +----+ Pipeline +----+ MAX +----+ LAN B +----+ Router +----+ Internet

If you are putting the filter on the LAN interface of the Pipeline then if you
want to block packets from LAN A, it should be an "Input" filter.

If you are putting the filter on the WAN interface of the Pipeline then if you
want to block packets from LAN A, it should be an "Output" filter.

If you are putting the filter on the WAN interface of the MAX then if you
want to block packets from LAN A, it should be an "Input" filter.

If you are putting the filter on the LAN interface of the MAX then if you
want to block packets from LAN A, it should be an "Output" filter.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:   <http://www.nealis.net/ascend/faq>



-- Tim Connolly tec@mountain.net     MountainNet, Inc.
-- (800) 444-1458 ext. 37            2816 Cranberry Square
-- fax (304) 594-9088                Morgantown, WV 26505


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) filters

From: Paul Monaghan <paulm@ican.net>

Prev by Date: Re: (ASCEND) modemdiag output on 5.0Ap36
Next by Date: (ASCEND) MAX2000 dialout to NT-RAS with MS-CHAP
Prev by thread: (ASCEND) filters
Next by thread: Re: (ASCEND) filters
Index(es):
- Main
- Thread