Filter Configuration. ZyXEL Communications 623ME-T, Prestige 623ME-T

Prestige 623ME-T User’s Guide

Chapter 18

Filter Configuration

This chapter shows you how to create and apply filters.

18.1 About Filtering

Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call.

There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.

Data filtering screens data to determine if the packet should be allowed to pass. Data filters are divided into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering can be applied on either the WAN side or the Ethernet side. Call filtering is used to determine if a packet should be allowed to trigger a call.

Outgoing packets must undergo data filtering before they encounter call filtering. Call filters are divided into two groups, the built-in call filters and user-defined call filters. Your Prestige has built-in call filters that prevent administrative, for example, RIP packets from triggering calls. These filters are always enabled and not accessible to you. Your Prestige applies the built-in filters first and then the user-defined call filters, if applicable, as shown next.

Filter Configuration 18-1

Prestige 623ME-T User’s Guide

Outgoing

Packet Data

No match

Match

Built-in default

Call Filters

Match

Call Filtering

No match

User-defined

Call Filters

(if applicable)

Match

No match

Active Data

Initiate call if line not up

Send packet and reset

Idle Timer

Drop packet

Drop packet if line not up

Or

Drop packet if line not up

Or

Send packet but do not reset

Idle Timer

Send packet but do not reset

Idle Timer

Figure 18-1 Outgoing Packet Filtering Process

Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow.

The following figure illustrates the logic flow when executing a filter rule.

18-2 Filter Configuration

Filter Set

Prestige 623ME-T User’s Guide

Start

Packet intoFilter

Fetch First

Filter Set

Fetch First

Filter Rule

Fetch Next

Filter Set

Yes

Fetch Next

Filter Rule

Yes

Next filter

Rule

Available?

Next Filter Set

Available?

No No Active?

Yes

No

Execute

Filter Rule

Check

Next

Rule

Forward

Drop

Drop Packet Accept Packet

Figure 18-2 Filter Rule Process

You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port.

Filter Configuration 18-3

Prestige 623ME-T User’s Guide

For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets.

The Filter Structure of the Prestige

A filter set consists of one or more filter rules. Usually, you would group related rules, for example, all the rules for NetBIOS, into a single set and give it a descriptive name. You can configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.

18.2 Configuring a Filter Set

To configure a filter set, follow the steps shown next.

Step 1. Enter 21 in the main menu to display Menu 21 – Filter Set Configuration.

Menu 21 - Filter Set Configuration

Filter Filter

Set # Comments Set # Comments

------ ----------------- ------ -----------------

1 NetBIOS_WAN 7 _______________

2 NetBIOS_LAN 8 _______________

3 PPPoE 9 _______________

4 10 _______________

5 11 _______________

6 _______________ 12 _______________

Enter Filter Set Number to Configure= 0

Edit Comments= N/A

Press ENTER to Confirm or ESC to Cancel:

Figure 18-3 Menu 21 Filter Set Configuration

Step 2. Type the filter set to configure (no. 1 to 12) and press [ENTER]

.

Step 3. Type a descriptive name or comment in the Edit Comments field and press [ENTER].

Step 4. Press [ENTER] at the message “ Press ENTER to confirm…” to display Menu 21.1 – Filter

Rules Summary (that is, if you selected filter set 1 in menu 21).

18-4 Filter Configuration

Prestige 623ME-T User’s Guide

Menu 21.1 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - -

1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N

2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N

3 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D N

4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N

5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N

6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D F

Enter Filter Rule Number (1-6) to Configure:

Figure 18-4 NetBIOS_WAN Filter Rules Summary

Menu 21.2 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - -

1 Y IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D F

2 N

3 N

4 N

5 N

6 N

Enter Filter Rule Number (1-6) to Configure:

Figure 18-5 NetBIOS_LAN Filter Rules Summary

Menu 21.4 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - -

1 Y Gen Off=12, Len=2, Mask=ffff, Value=8863 N F N

2 Y Gen Off=12, Len=2, Mask=ffff, Value=8864 N F D

3 N

4 N

5 N

6 N

Enter Filter Rule Number (1-6) to Configure:

Figure 18-6 PPPoE Filter Rules Summary

Filter Configuration 18-5

Prestige 623ME-T User’s Guide

18.2.1 Filter Rules Summary Menus

The following tables briefly describe the abbreviations used in menu 21.x.

Table 18-1 Abbreviations Used in the Filter Rules Summary Menu

FIELD DESCRIPTION

#

A

Type

The filter rule number: 1 to 6.

Active: “Y” means the rule is active. “N” means the rule is inactive.

The type of filter rule: “GEN” for Generic, “IP” for TCP/IP.

Filter Rules These parameters are displayed here.

M More.

“Y” means there are more rules to check which form a rule chain with the present rule.

An action cannot be taken until the rule chain is complete.

“N” means there are no more rules to check. You can specify an action to be taken for instance, forward the packet, drop the packet or check the next rule. For the latter, the next rule is independent of the rule just checked.

Matched.

“F” means to forward the packet immediately and skip checking the remaining rules.

“D” means to drop the packet.

“N“ means to check the next rule. n Action Not Matched.

“F” means to forward the packet immediately and skip checking the remaining rules.

“D” means to drop the packet.

“N” means to check the next rule.

The protocol dependent filter rules abbreviation are listed as follows:

Table 18-2 Rule Abbreviations Used

FILTER TYPE DESCRIPTION

IP

Pr Protocol

SP Source Port Number

DP Destination Port Number

GEN

18-6 Filter Configuration

Prestige 623ME-T User’s Guide

Table 18-2 Rule Abbreviations Used

FILTER TYPE DESCRIPTION

Off Offset

Len Length

18.3 Configuring a Filter Rule

To configure a filter rule, type its number in Menu 21.x – Filter Rules Summary and press [ENTER] to open menu 21.x.1 for the rule.

There are two types of filter rules: TCP/IP and Generic. Depending on the type of rule, the parameters for each type will be different. Use [SPACE BAR] to select the type of rule that you want to create in the

Filter Type field and press [ENTER] to open the respective menu.

To speed up filtering, all rules in a filter set must be of the same class, for instance, protocol filters or generic filters. The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filters field or vice versa, the Prestige will warn you and will not allow you to save.

18.3.1 TCP/IP Filter Rule

This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.

To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.x.1 – TCP/IP Filter Rule, as shown next.

Filter Configuration 18-7

Prestige 623ME-T User’s Guide

Menu 21.6.1 - TCP/IP Filter Rule

Filter #: 6,1

Filter Type= TCP/IP Filter Rule

Active= No

IP Protocol= 0 IP Source Route= No

Destination: IP Addr=

IP Mask=

Port #=

Port # Comp= None

Source: IP Addr=

IP Mask=

Port #=

Port # Comp= None

TCP Estab= N/A

More= No Log= None

Action Matched= Check Next Rule

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Press Space Bar to Toggle.

Figure 18-7 Menu 21.x.1 TCP/IP Filter Rule

The following table describes how to configure your TCP/IP filter rule.

Table 18-3 Menu 21.x.1 TCP/IP Filter Rule

Filter #

Filter Type

Active

This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third filter rule of that set.

Use [SPACE BAR] and then [ENTER] to choose a rule.

Parameters displayed for each type will be different. Choices are

TCP/IP Filter Rule or Generic Filter Rule.

Select Yes to activate or No to deactivate the filter rule.

6,1

TCP/IP Filter

Rule

No

(default)

0 to 255 IP Protocol

IP Source Route

Destination:

IP Addr

This is the upper layer protocol, for example, TCP is 6, UDP is 17 and ICMP is 1. The value must be between 0 and 255. A value of

O matches ANY protocol.

IP Source Route is an optional header that dictates the route an

IP packet takes from its source to its destination. If Yes, the rule applies to any packet with an IP source route. The majority of IP packets do not have source route.

Type the destination IP address of the packet you want to filter.

This field is ignored if it is 0.0.0.0.

No

(default)

IP address

18-8 Filter Configuration

Prestige 623ME-T User’s Guide

Table 18-3 Menu 21.x.1 TCP/IP Filter Rule

IP Mask Type the IP mask to apply to the Destination: IP Addr field.

Port # Type the destination port of the packets you want to filter. The field range is 0 to 65535. A 0 field is ignored.

Port # Comp Select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Choices are None, Less, Greater, Equal or Not Equal.

Source: Type the source IP Address of the packet you want to filter. A

0.0.0.0 field is ignored.

IP Addr

IP Mask Type the IP mask to apply to the Source: IP Addr field.

Port # Type the source port of the packets you want to filter. The range of this field is 0 to 65535. A 0 field is ignored.

Port # Comp Select the comparison to apply to the source port in the packet against the value given in Source: Port # field. Choices are

None, Less, Greater, Equal or Not Equal.

TCP Estab This applies only when the IP Protocol field is 6, TCP. If Yes, the rule matches packets that want to establish TCP connection(s)

(SYN=1 and ACK=0); else it is ignored.

More If Yes, a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields.

If More is Yes, then Action Matched and Action Not Matched will be N/A.

Log Select the logging option from the following:

None – No packets will be logged.

Action Matched

Action Matched – Only packets that match the rule parameters will be logged.

Action Not Matched – Only packets that do not match the rule parameters will be logged.

Both – All packets will be logged.

Select the action for a matching packet. Choices are Check Next

Rule, Forward or Drop.

IP mask

0 to 65535

None

IP address

IP mask

0 to 65535

None

No

(default)

No

(default)

None

Check Next

Rule

(default)

Filter Configuration 18-9

Prestige 623ME-T User’s Guide

Table 18-3 Menu 21.x.1 TCP/IP Filter Rule

Action Not

Matched

Select the action for a packet not matching the rule. Choices are

Check Next Rule, Forward or Drop.

Check Next

Rule

(default)

When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.

The following figure illustrates the logic flow of an IP filter.

18-10 Filter Configuration

Prestige 623ME-T User’s Guide

Packet into IP Filter

Filter Active?

Yes

Apply SrcAddrMask to Src Addr

No

Check Src

IP Addr

Matched

Apply DestAddrMask to Dest Addr

Not Matched

Check Dest

IP Addr

Matched

Check

IP Protocol

Matched

Check Src &

Dest Port

Matched

More?

Not Matched

Not Matched

Not Matched

Yes

No

Action Matched

Check Next Rule

Check Next Rule

Action Not Matched

Drop Forward

Drop

Drop Packet

Forward

Check Next Rule

Figure 18-8 Executing an IP Filter

Accept Packet

Filter Configuration 18-11

Prestige 623ME-T User’s Guide

18.3.2 Generic Filter Rule

This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.

For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The Prestige applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match. The Mask and Value fields are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a byte, so if the length is 4, the value in either field will take 8 digits, for example, FFFFFFFF.

To configure a generic rule select an empty filter set in menu 21, for example 6. Select Generic Filter

Rule in the Filter Type field and press [ENTER] to open Menu 21.6.1 – Generic Filter Rule, as shown in the following figure.

Menu 21.6.1 - Generic Filter Rule

Filter #: 6,1

Filter Type= Generic Filter Rule

Active= No

Offset= 0

Length= 0

Mask= N/A

Value= N/A

More= No Log= None

Action Matched= Check Next Rule

Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Press Space Bar to Toggle.

Figure 18-9 Menu 21.6.1 Generic Filter Rule

The next table describes the fields in the Generic Filter Rule menu.

Table 18-4 Menu 21.6.1 Generic Filter Rule

FIELD DESCRIPTION EXAMPLE

Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set.

6,1

18-12 Filter Configuration

Prestige 623ME-T User’s Guide

Table 18-4 Menu 21.6.1 Generic Filter Rule

FIELD DESCRIPTION EXAMPLE

Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule.

Parameters displayed below each type will be different. Choices are

Generic Filter Rule or TCP/IP Filter Rule.

Generic Filter

Rule

Active Select Yes to turn on or No to turn off the filter rule. No

(default)

Offset

Length

Mask

Value

More

Log

Type the starting byte of the data portion in the packet that you want to compare. The range for this field is from 0 to 255.

Type the byte count of the data portion in the packet that you want to compare. The range for this field is 0 to 8.

Type the mask (in Hexadecimal) to apply to the data portion before comparison.

Type the value (in Hexadecimal) to compare with the data portion.

If Yes, a matching packet is passed to the next filter rule before an action is taken or else the packet is disposed of according to the action fields.

If More is Yes, then Action Matched and Action Not Matched will be

N/A.

Select the logging option from the following:

None – No packets will be logged.

Action Matched – Only matching packets and rules will be logged.

Action Not Matched – Only packets that do not match the rule parameters will be logged.

Both – All packets will be logged.

Select the action for a matching packet. Choices are Check Next Rule,

Forward or Drop.

0

(default)

0

(default)

No

(default)

None

Action

Matched

Action Not

Matched

Select the action for a packet not matching the rule. Choices are Check

Next Rule, Forward or Drop.

Check Next

Rule

(default)

Check Next

Rule

(default)

When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.

Filter Configuration 18-13

Prestige 623ME-T User’s Guide

18.4 Filter Types and NAT

There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules.

Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets.

When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the Prestige applies the protocol filters to the “native” IP address and port number before

NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic (or device) filters are applied to the raw packets that appear on the wire. They are applied at the point where the

Prestige is receiving and sending the packets; for instance, the interface. The interface can be an Ethernet, or any other hardware port. The following figure illustrates this.

Figure 18-10 Protocol and Device Filter Sets

18.5 Example Filter

Let’s look at an example to block outside telnet access to the Prestige.

18-14 Filter Configuration

Prestige 623ME-T User’s Guide

Figure 18-11 Sample Telnet Filter

Step 1. Enter 21 in the main menu to display Menu 21 — Filter Set Configuration.

Step 2. Enter the index number of the filter set you want to configure (in this case 3)

.

Step 3. Type a descriptive name or comment in the Edit Comments field (for example,

TELNET_WAN) and press [ENTER].

Filter Configuration 18-15

Prestige 623ME-T User’s Guide

Step 4. Press [ENTER] at the message “ Press [ENTER] to confirm or [ESC] to cancel” to open Menu

21.3 — Filter Rules Summary.

Step 5. Type 1 to configure the first filter rule. Make the entries in this menu as shown next.

When you press [ENTER] to confirm, the following screen appears. Note that there is only one filter rule in this set.

Port #= 23

Port # Comp= Equal

Source: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Port #=

Port # Comp= Equal

TCP Estab= No

More= No Log= None

Action Matched= Drop

Action Not Matched= Forward

Menu 21.3.1 - TCP/IP Filter Rule

Filter #: 3,1

Filter Type= TCP/IP Filter Rule

Active= Yes

IP Protocol= 6 IP Source Route= No

Destination: IP Addr= 0.0.0.0

IP Mask= 0.0.0.0

Press ENTER to Confirm or ESC to Cancel:

There are no more rules to check.

Select Equal here as we are looking for packets going to port 23 only.

Press [SPACE BAR] to choose this filter rule type. The first filter rule type determines all subsequent filter types within a set.

Select Yes to make the rule active.

6 is the TCP protocol.

The port number for the telnet service (TCP protocol) is 23. See

RFC-1060 for port numbers of wellknown services.

Select Drop here so that the packet will be dropped if its destination is the telnet port.

Select Forward here so that the packet will be forwarded if its destination is not the telnet port and there are no more rules in this filter set to check. Select Next if there are more rules to check.

Figure 18-12 Menu 21.3.1 Sample Filter

18-16 Filter Configuration

Prestige 623ME-T User’s Guide

Menu 21.3 - Filter Rules Summary

# A Type Filter Rules M m n

- - ---- --------------------------------------------------------------- - - -

1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F

2 N

3 N

4 N

5 N

6 N

Enter Filter Rule Number (1-6) to Configure: 1

This shows you that you have configured and activated (A = Y) a

TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP =

23).

M = N means an action can be taken immediately.

The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example).

Figure 18-13 Menu 21.3 Sample Filter Rules Summary

After you have created the filter set, you must apply it.

Step 1. Enter 11 in the main menu to display menu 11 and type the remote node number to edit.

Step 2. Go to the Edit Filter Sets field, press [SPACE BAR] to choose Yes and press [ENTER].

Step 3. This brings you to menu 11.5. Apply the example filter set (for example, filter set 3) in this menu as shown in the next section.

18.6 Applying Filters and Factory Defaults

This section shows you where to apply the filter(s) after you design it (them). Sets of factory default filter rules have been configured in menu 21 (but have not been applied) to filter traffic.

Filter Configuration 18-17

Prestige 623ME-T User’s Guide

Table 18-5 Filter Sets Table

FILTER SETS DESCRIPTION

Input Filter Sets: Apply filters for incoming traffic. You may apply protocol or device filter rules. See earlier in this chapter for information on filters.

Output Filter Sets: Apply filters for traffic leaving the Prestige. You may apply filter rules for protocol or device filters. See earlier in this section for information on types of filters.

Call Filter Sets: Apply filters to decide if a packet should be allowed to trigger a call.

18.6.1 Ethernet Traffic

You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by typing their numbers separated by commas, for example, 2, 4, 6, 11. The factory default filter set,

NetBIOS_LAN, is inserted in the protocol filters field under Input Filter Sets in menu 3.1 in order to prevent local NetBIOS messages from triggering calls to the DNS server.

Menu 3.1 – LAN Port Filter Setup

Input Filter Sets: protocol filters= device filters=

Output Filter Sets:

2 protocol filters= device filters=

Press ENTER to Confirm or ESC to Cancel:

Apply filter 2 to block NETBIOS traffic from the

LAN.

Figure 18-14 Filtering Ethernet Traffic

18.6.2 Remote Node Filters

Go to menu 11.5 (shown next) and type the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by typing their numbers separated by commas. The factory default filter set,

NetBIOS_WAN, is inserted in the protocol filters field under Call Filter Sets in menu 11.5 to block local

NetBIOS traffic from triggering calls to the ISP.

18-18 Filter Configuration

Prestige 623ME-T User’s Guide

Menu 11.5 - Remote Node Filter

Input Filter Sets:

protocol filters= 5

device filters=

Output Filter Sets:

protocol filters= 4

device filters=

Call Filter Sets:

Protocol filters= 1

Device filters=

Enter here to CONFIRM or ESC to CANCEL:

Apply filter 5 to block

FTP traffic from the

WAN.

Apply Default Filters 1 and 4 here. Enter 1 in protocol

filters under Output Filter

Sets when using Ethernet encapsulation.

Figure 18-15 Filtering Remote Node Traffic

Note that call filter sets are visible when you select PPPoA or PPPoE encapsulation.

Filter Configuration 18-19