The rest of this chapter and Chapter 8 show the kinds of rules you can specify for your packet filtering router in order to control what packets can and cannot flow to and from your network. There are a few things you need to know about these rules.
To avoid confusion, the example rules are specified with abstract descriptions, rather than with real addresses, as much as possible. Instead of using real source and destination addresses (e.g., 172.16.51.50), we use "Internal" or "External" to identify which networks we're talking about. Actual packet filtering systems usually require you to specify address ranges explicitly; the syntax varies from router to router.
In all of our packet filtering examples, the assumption is that, for each packet, the router goes through the rules in order until it finds one that matches, and then it takes the action specified by that rule. We assume an implicit default "deny" if no rules apply, although it's a good idea to specify an explicit default (and we generally do).
The syntax used in our filtering examples specifies the number of bits significant for comparison to other address after a slash character (/). Thus, 10.0.0.0/8 matches any address that starts with 10; it's equivalent to 10.0.0.0 with a UNIX netmask of 255.0.0.0, or 10.0.0.0 with a Cisco wildcard mask of 0.255.255.255, or (if it were a filename) 10.*.*.*.
Although we try to be as specific as possible in these examples, it's impossible to tell you precisely what you have to specify for your particular packet filtering product. The exact mechanism for specifying packet filtering rules varies widely from product to product. Some products (such as the screend package) allow you to specify a single set of rules that are applied to all packets routed by the system. Others (such as the Telebit NetBlazer) allow you to specify rules for particular interfaces. Still others (such as the Livingston and Cisco products) allow you to specify sets of rules and then apply sets by name to particular interfaces (so that you might define one set of rules that is shared by a number of different interfaces, for example, and put the rules that are unique to a given interface into a different set).
Here's a simple example to illustrate the differences. We chose these three systems because they represent somewhat different ways of specifying filters, not because of any particular preference for them; in general, other systems are similar to these. For example, Cisco's products are similar to Livingston's products in that you create sets of rules, then apply those rules to packets going in a particular direction through a particular interface. They are different in details of their syntax, such as in how you specify host addresses and bitmasks.
Let's say that you want to allow all IP traffic between a trusted external host (host 172.16.51.50) and hosts on your internal network (Class C net 192.168.10.0). In our examples, we would show this case as follows:
ACK | |||||
---|---|---|---|---|---|
Rule | Direction | Source Address | Destination Address | Set | Action |
A | Inbound | Trusted external host | Internal | Any | Permit |
B | Outbound | Internal | Trusted external host | Any | Permit |
C | Either | Any | Any | Any | Deny |
With screend, you would specify:
between host 172.16.51.50 and net 192.168.10 accept ; between host any and host any reject ;
With a Telebit NetBlazer, you also have to specify which interface the rule is to be applied to, and whether the rule applies to incoming or outgoing packets on that interface. For an external interface named "syn0", your rules would be:
permit 172.16.51.50/32 192.168.10/24 syn0 in deny 0.0.0.0/0 0.0.0.0/0 syn0 in permit 192.168.10/24 172.16.51.50/32 syn0 out deny 0.0.0.0/0 0.0.0.0/0 syn0 out
On a Livingston PortMaster or IRX, you would specify rules as a set and then apply the relevant set to the right direction on the right interface. If your external interface is named "s1", your rules would look something like this:
add filter s1.in set filter s1.in 1 permit 172.16.51.50/32 192.168.10.0/24 set filter s1.in 2 deny 0.0.0.0/0 0.0.0.0/0 set s1 ifilter s1.in add filter s1.out set filter s1.out 1 permit 192.168.10.0/24 172.16.51.50/32 set filter s1.out 2 deny 0.0.0.0/0 0.0.0.0/0 set s1 ofilter s1.out
On a Cisco router, you also specify rules as sets, and apply the relevant sets to the right direction on the right interface. If your external interface is named "serial1", your rules would look like this:
access-list 101 permit ip 172.16.51.50 0.0.0.0 192.168.10.0 0.0.0.255 access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 interface serial 1 access-group 101 in access-list 102 permit ip 192.168.10.0 0.0.0.255 172.16.51.50 0.0.0.0 access-list 102 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 interface serial 1 access-group 102 out
For detailed information on the syntax of a particular package or product, consult the documentation for that package or product. Once you understand the syntax for the particular system you are using, you shouldn't have too much difficulty translating from our tables to that system's syntax.
NOTE: Watch out for implicit defaults. Different filtering systems have different default actions they take if a packet doesn't match any of the filtering rules specified. Some systems deny all such packets. Other systems make the default the opposite of the last rule; that is, if the last rule was a "permit," the system default is to "deny," and if the last rule was a "deny," the default is to "permit." In any case, it's a good idea to put an explicit default rule at the end of your list of packet filtering rules, so you don't have to worry about (or even remember) which implicit default your system is going to use.