Knowledgebase

Online Technical Support

Software Upgrades: Please check our latest Download section.

Search Tip: You can increase the accuracy of your searches by using as many keywords as possible. Remove any common words such as "a", "or", "the" as they will be used in the search. Do not use any operands such as +, or quotation marks to enclose phrases.

Perle Knowledgebase      
Configuring TCP/IP filters

Go Back Printable Version Suggest New Article Bookmark This Article

Issue:

This document goes over a simple setup for TCP/IP filtering on the 833 servers.

Creating filters to permit the Dial In client to communicate to one host on the LAN, and deny communication to all other hosts.

Solution:

For a Dial In client to communicate to a host on the LAN, it must be able to send and recieve data.

Two filters will have to be created, one to permit data sent to the LAN host and one to permit data recieved from the LAN host. Then configure the Perle to deny communication to all other hosts.

This is achieved by:

  1. Add a new filter. Set the Action as Accept, with Source address blank and Destination address as the LAN host. Leave the filter mask at 255.255.255.255 and Protocol to none.
  2. Add another filter. Set the Action as Accept, with Source address as the LAN host and Destination address blank. Leave the filter mask at 255.255.255.255 and Protocol to none.
  3. Then add both filters to the assignment list and set the Default Action as Deny.

With this filter arrangement, all TCP/IP packets going to the Destination and all TCP/IP packets recieved by the Source will be permitted.
All other packets are denied.

On the 833IS the configuration file will appear as this example:
!
ip access-list extended from
permit ip host 1.2.3.4 any
!
ip access-list extended to
permit ip any host 1.2.3.4

As soon as the packet matches one of the filters, then the packet is accpeted or rejected and no further checking is done. If the packet does not match any assigned filters, then the default action will be carried out.

The packet address is logically AND to the filter mask and compared to the filter address AND filter mask.
Example:

10.6.0.0 && 255.255.0.0 =

00001010.00000110.00000000.00000000
11111111.11111111.00000000.00000000
=
00001010.00000110.00000000.00000000

10.6.135.165 && 255.255.0.0 =

00001010.00000110.10000111.10100101
11111111.11111111.00000000.00000000
=
00001010.00000110.00000000.00000000

after the Filter Mask both address are equal

10.36.99.235 && 255.255.0.0 =

00001010.00100100.01100011.11101011
11111111.11111111.00000000.00000000
=
00001010.00100100.00000000.00000000

after the Filter Mask this is not equal


How useful is this article?

Less More



Article ID: 70

Published: 1/15/2003 10:28:19 AM

Last Modified: 10/1/2003 11:02:30 AM

Issue Type: Configuration


Go Back Printable Version Suggest New Article Bookmark This Article


Back to top