Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(ASCEND) ascend filters



Hello Jason,

I've had a security breech from the net on my site and wanted
to put some filters on my Ascend unit (MAX200+).  I'm having trouble nailing down the logic of these
filters.

"Philosophy A"

I have been told that if you do a bunch of "YES" or "pass" filters
you need a "NO" or "block" filter at the end of the list to "seal things
off".

Likewise if you have a bunch of "NO" filters or "block" filters
you need a "YES" or "pass" filter at the end of the list to let
things thru.

"Philosophy B"

I've also been told that (as in subject #12 of the nealis ascend-faq)
"Data filters will examine packets and drop (or forward) matching entries, depending on filter
construction."


"Philosophy C"

"follow the logic, draw a picture" (from Ascend site)....kind of vague,
do they mean step by step?

These filter philosophies seem kind of sketchy (to me) and I was wondering
if someone had some "C pseudocode" that would show their logic explicitly.

For example filters on WAN, incoming, philosophy "C" (step by step?) mail and www:

These are "YES" or "pass" filters #1 mail and #2 www.

"YES" filter = forward matching packets...

two packets come in back to back mail delivery (Port25) then web server request (Port80):

mail-packet hits the 1st filter (mail) and passes. next mail hits the 
www filter and doesn't match so it doesn't pass....bye bye mail packet
gone to /dev/null.

www-packet hits the 1st filter (mail) and doesn't match so it doesn't
pass.....bye bye www-packet gone to /dev/null.


Now I know someone is sure to point out that the filters don't work that way.
OK.  How do they work?  Step by Step. I have examples....it's the principles
behind the examples I'm missing.

I believe these filters must be logically "OR"ed together somehow in a stepwise
fashion, I would just like some clear explanation as to how.

Something like:

set up the "finished filters"

All forward=NO (block) filters are "OR"ed and result is stored in BLOCK_OR
All forward=YES (pass) filters are "OR"ed and result is stored in PASS_OR

apply the "finished filters"

packet  OR'ed against BLOCK_OR==TRUE: discard packet at once.
packet  OR'ed against PASS_OR==TRUE: forward packet.

I'm not sure if this logic is sound, or if it is how the filters
work, but it is an attempt to demonstrate the level of understanding
I'm looking for.

Thanks for your help.

-- 
	Henry Hollenberg     speed@barney.iamerica.net
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>