Chapter 6 Filter Configuration. ZyXEL Prestige 100L, 100L
Below you will find brief information for IDSL Router Prestige 100L. This guide helps you set up your new ZyXEL Prestige 100L IDSL router for internet access and networking. It covers hardware installation, initial setup, internet access configuration (including Single User Account), remote node setup, and advanced features like filtering and network management. Learn how to connect to your IDSL service, configure your LAN, and secure your network.
Advertisement
Advertisement
Prestige 100L IDSL Router
Chapter 6
Filter Configuration
This chapter shows you how to create and apply filter(s).
6.1 About Filtering
Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Data filtering screens the data to determine if the packet should be allowed to pass. Data filters are divided into incoming and outgoing filters, depending on the direction of the packet relative to a port. Data filtering can be applied on either the WAN side or the Ethernet side. Call filtering is used to determine if a packet should be allowed to trigger a call. Outgoing packets must undergo data filtering before they encounter call filtering as shown in the following figure.
Outgoing
Packet
Data
Filtering
No match
Match
Call Filtering
Built-in default
Call Filters
Match
No match
User-defined
Call Filters
(if applicable)
Match
No match
Active Data
Initiate call if line not up
Send packet and reset
Idle Timer
Drop packet
Drop packet if line not up
Or
Drop packet if line not up
Or
Send packet but do not reset
Idle Timer
Send packet but do not reset
Idle Timer
Figure 6-1 Outgoing Packet Filtering Process
For incoming packets, your Prestige applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets.
Filters 6-1
Prestige 100L IDSL Router
6.1.1 The Filter Structure of the Prestige
A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for
NetBIOS, into a single set and give it a descriptive name. The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot mix device filter rules and protocol filter rules within the same set. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Three sets of factory default filter rules have been configured in Menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnetting. A summary of their filter rules is shown in the figures that follow.
The following diagram illustrates the logic flow when executing a filter rule.
6-2 Filters
Fetch Next
Filter Set
Yes
Next Filter Set
Available?
No
Filter Set
Fetch Next
Filter Rule
Yes
Next filter
Rule
Available?
No
Start
Prestige 100L IDSL Router
Packet intoFilter
Fetch First
Filter Set
Fetch First
Filter Rule
Yes
Active?
Yes
No
Execute
Filter Rule
Check
Next
Rule
Forward
Drop
Drop Packet Accept Packet
Figure 6-2 Filter Rule Process
You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Filters 6-3
Prestige 100L IDSL Router
6.2 Configuring a Filter Set
To configure a filter set, follow the procedure below.
Step 1. Select option 21. Filter Set Configuration from the Main Menu to open Menu 21.
3
4
1
2
5
6
Filter
Set #
------
Menu 21 - Filter Set Configuration
Comments
------------------
NetBIOS_WAN
NetBIOS_LAN
______________
______________
______________
______________
Filter
Set #
------
7
8
9
10
11
12
Comments
------------------
______________
______________
______________
______________
______________
______________
Enter Filter Set Number to Configure= 0
Edit Comments=
Press ENTER to CONFIRM or ESC to CANCEL:
Figure 6-3 Menu 21 – Filter Set Configuration
Step 2. Select the filter set you wish to configure (nos. 1-12) and press the [Enter] key .
Step 3. Enter a descriptive name or comment in the Edit Comments field and press the [Enter] key.
Step 4. Press the [Enter] key at the message: [Press ENTER to confirm] to open Menu 21.1.1 – Filter
Rules Summary.
6-4 Filters
Filters
Prestige 100L IDSL Router
Menu 21.1 - Filter Rules Summary
# A Type Filter Rules M m n
- - ---- -------------------------------------------- --------- - - -
1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N
2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N
3 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D N
4 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N
5 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=138 N D N
6 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=139 N D F
Enter Filter Rule Number (1-6) to Configure:
Figure 6-4 Filter Rules Summary
6-5
Prestige 100L IDSL Router
6.2.1 Filter Rules Summary Menu
This screen shows the summary of the existing rules in the filter set. The following tables contain a brief description of the abbreviations used in the previous menus.
Type
Filter Rules
M
Table 6-1
ABBREVIATIONS
#
A
Abbreviations Used in the Filter Rules Summary Menu
DESCRIPTION
Refers to the filter rule number (1 to 6).
Shows whether the rule is active or not.
Refers to the type of filter rule.
This shows GEN for generic, IP for
TCP/IP
The filter rule parameters are displayed here (see the following).
Refers to More.
[Y] means an action cannot yet be taken as there are more rules to check, which are concatenated with the present rule to form a rule chain.
When the rule chain is complete an action can be taken.
DISPLAY
[Y] means the filter rule is active.
[N] means the filter rule is inactive.
[GEN] for Generic
[IP] for TCP/IP
[Y] means there are more rules to check.
[N] means there are no more rules to check.
m n
[N] means you can now specify an action to be taken i.e., forward the packet, drop the packet or check the next rule. For the latter, the next rule is independent of the rule just checked.
If More is Yes, then Action Matched and Action Not Matched is N/A.
Refers to Action Matched.
[F] means to forward the packet immediately and skip checking the remaining rules.
Refers to Action Not Matched.
[F] means to forward the packet immediately and skip checking the remaining rules.
[F] means to forward the packet.
[D] means to drop the packet.
[N] means check the next rule.
[F] means to forward the packet.
[D] means to drop the packet.
[N] means check the next rule.
6-6 Filters
Prestige 100L IDSL Router
The protocol dependent filter rules abbreviation are listed as follows: l If the filter type is IP, the following abbreviations listed in the following table are used.
SA
SP
DA
DP
Table 6-2
ABBREVIATION
Pr Protocol
Abbreviations Used If Filter Type Is IP
DESCRIPTION
Source Address
Source Port number
Destination Address
Destination Port number l If the filter type is GEN (generic), the abbreviations listed in the following table are used.
Table 6-3
ABBREVIATION
Off
Len
Offset
Length
Abbreviations Used If Filter Type Is GEN
DESCRIPTION
Refer to the next section for information on configuring the filter rules.
6.2.2 Configuring a Filter Rule
To configure a filter rule, type its number in Menu 21.1 - Filter Rules Summary and press the [Enter] key to open Menu 21.1.1 for the rule.
To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or generic filters.
The class of a filter set is determined by the first rule that you create. When applying the filter sets to a port, separate menu fields are provided for protocol and device filter sets. If you include a protocol filter set in a device filter field or vice versa, the Prestige warns you and you are not allowed to save.
6.2.3 TCP/IP Filter Rule
This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, e.g., UDP and TCP, headers.
To configure a TCP/IP rule, select TCP/IP Filter Rule from the Filter Type field and press the [Enter] key to open Menu 21.1.1.1 – TCP/IP Filter Rule, as shown in the following figure.
Filters 6-7
Prestige 100L IDSL Router
Menu 21.1.1 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 137
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Figure 6-3 Menu 21.1.1 – TCP/IP Filter Rule
The following table describes how to configure your TCP/IP filter rule.
Table 6-4 TCP/IP Filter Rule Menu Fields
Active
FIELD
IP Protocol
DESCRIPTION
This field activates/deactivates the filter rule.
Protocol refers to the upper layer protocol, e.g., TCP is 6,
UDP is 17 and ICMP is 1. This value must be between 0 and 255.
IP Source Route
Destination: IP
Address
Destination: IP
Mask
If Yes, the rule applies to packet with IP source route option; else the packet must not have source route option.
The majority of IP packets do not have source route.
Enter the destination IP Address of the packet you wish to filter. This field is disregarded if it has a 0.0.0.0 value.
Enter the IP mask to apply to the Destination: IP Addr.
Destination: Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is disregarded if it has a 0 value.
6-8
OPTION
Yes/No
0 to 255
Yes/No
IP address
IP address
0 to 65535
Filters
Prestige 100L IDSL Router
FIELD
Destination: Port #
Comp
DESCRIPTION
Select the comparison to apply to the destination port in the packet against the value given in Destination: Port #.
OPTION
None/Less/Greater/
Equal/Not Equal
IP Address Source: IP Address Enter the source IP Address of the packet you wish to filter. This field is disregarded if it has a 0.0.0.0 value.
Source: IP Mask
Source: Port #
Enter the IP mask to apply to the Source: IP Addr.
Enter the source port of the packets that you wish to filter.
The range of this field is 0 to 65535. This field is disregarded if it has a 0 value.
Source: Port #
Comp
Select the comparison to apply to the source port in the packet against the value given in Source: Port #.
IP Mask
0 to 65535
None/Less/Greater/
Equal/Not Equal
TCP Estab
More
This field is applicable only when IP Protocol field is 6,
TCP. If Yes, the rule matches only established TCP connections; or else the rule matches all TCP packets.
If Yes, a matching packet is passed to the next filter rule before an action is taken; or else the packet is disposed of according to the action fields.
Yes/No
Yes/No
Log
If More is Yes, then Action Matched and Action Not
Matched is N/A.
Select the logging option from the following: l None – No packet is logged.
l Action Matched – Only packets that match the rule parameters are logged.
l Action Not Matched – Only packets that do not match the rule parameters are logged.
l Both – All packets are logged.
Select the action for a matching packet.
None
Action Matched
Action Not Matched
Action Matched
Action Not Matched
Select the action for a packet not matching the rule.
Both
Check Next Rule
Forward
Drop
Check Next Rule
Forward
Drop
Once you have completed filling in Menu 21.1.1.1 - TCP/IP Filter Rule, press the [Enter] key at the message [Press Enter to Confirm] to save your configuration, or press the [Esc] key to cancel. This data is displayed on Menu 21.1.1 - Filter Rules Summary.
The following diagram illustrates the logic flow of an IP filter.
Filters 6-9
Prestige 100L IDSL Router
Packet into IP Filter
Filter Active?
Yes
Apply SrcAddrMask to Src Addr
No
Check Src
IP Addr
Matched
Apply DestAddrMask to Dest Addr
Not Matched
Check Dest
IP Addr
Matched
Check
IP Protocol
Matched
Check Src &
Dest Port
Matched
More?
No
Action Matched
Not Matched
Not Matched
Not Matched
Yes
Check Next Rule
Check Next Rule
Action Not Matched
Drop Forward
Drop Forward
Drop Packet
Figure 6-4
Check Next Rule
Executing an IP Filter
Accept Packet
6-10 Filters
Prestige 100L IDSL Router
6.2.4 Generic Filter Rule
This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The
Prestige applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the
Value to determine a match. The Mask and Value are specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a byte, so if the length is 4, the value in either field takes 8 digits, e.g.,
FFFFFFFF .
To configure a generic rule, select Generic Filter Rule in the Filter Type field in the Menu 21.3.1 and press the [Enter] key to open Generic Filter Rule, as shown below.
Menu 21.3.1 - Generic Filter Rule
Filter #: 3,1
Filter Type= Generic Filter Rule
Active= No
Offset= 0
Length= 0
Mask= N/A
Value= N/A
More= No Log= None
Action Matched= Check Next Rule
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
Figure 6-5 Menu 21.3.1 – Generic Filter Rule
Filters 6-11
Prestige 100L IDSL Router
The following table describes the fields in the Generic Filter Rule Menu.
Table 6-5 Generic Filter Rule Menu Fields
FIELD
Filter #
DESCRIPTION
This is the filter set, filter rule coordinates, i.e., 2,3 refers to the second filter set and the third rule of that set.
Filter Type Use [space bar] to toggle between both types of rules. Parameters displayed below each type are different.
OPTION
Active
Offset
Length
Mask
Select Yes to turn on the filter rule.
Enter the starting byte of the data portion in the packet that you wish to compare. The range for this field is from 0 to 255.
Enter the byte count of the data portion in the packet that you wish to compare. The range for this field is 0 to 8.
Enter the mask (in Hexadecimal) to apply to the data portion before comparison.
Generic Filter
Rule / TCP/IP
Filter Rule
Yes/No
Default = 0
Default = 0
Value
More
Enter the value (in Hexadecimal) to compare with the data portion.
If Yes, a matching packet is passed to the next filter rule before an action is taken; else the packet is disposed of according to the action fields.
Yes/No
If More is Yes, then Action Matched and Action Not Matched are N/A.
Log Select the logging option from the following: l None – No packet is logged.
l Action Matched – Only packets that match the rule parameters are logged.
l Action Not Matched – Only packets that do not match the rule parameters are logged.
l Both – All packets are logged.
Select the action for a matching packet.
None
Action
Matched
Action Not
Matched
Action
Matched
Action Not
Matched
Select the action for a packet not matching the rule.
Both
Check Next
Rule
Forward
Drop
Check Next
Rule
Forward
Drop
Once you have completed filling in Menu 21.4.1.1 – Generic Filter Rule, press the [Enter] key at the message [Press Enter to Confirm] to save your configuration, or press the [Esc] key to cancel. This data is now displayed on Menu 21.1.1 – Filter Rules Summary.
6-12 Filters
Prestige 100L IDSL Router
6.3 Example Filter
Let us look at the third default ZyXEL filter, TELNET_WAN as an example. This filter is designed to block outside users telnetting into the Prestige.
Figure 6-6 Telnet Filter Example
Step 1. Enter 21 from the Main Menu to open Menu 21 – Filter Set Configuration.
Step 2. Enter the index of the filter set you wish to configure (in this case, 3) and press the [Enter] key .
Step 3. Enter a descriptive name or comment in the Edit Comments field (in this case TELNET_WAN) and press the [Enter] key.
Step 4. Press the [Enter] key at the message: [Press ENTER to confirm] to open Menu 21.1.1 – Filter
Rules Summary.
Step 5. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure.
Filters 6-13
Prestige 100L IDSL Router
Menu 21.1.1 - TCP/IP Filter Rule
Filter #: 3,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 23
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.
There are no more rules to check.
Select Equal here as we are looking for packets going to port 23 only.
Select Drop here so that the packet is dropped if its destination is the telnet port.
Press the [space bar] to choose this filter rule type. The first filter rule type determines all subsequent filter types within a set.
Select Yes to make the rule active.
6 is the TCP protocol.
The port number for the telnet service (TCP protocol) is 23.
See RFC 1700 for port numbers of well-known services.
Select Forward here so that the packet is forwarded if its destination is not the telnet port.
Figure 6-7 Example Filter – Menu 21.1.1
When you press the [Enter] key to confirm, the following screen appears. Note that there is only one filter rule in this set.
6-14 Filters
Prestige 100L IDSL Router
Menu 21.2 - Filter Rules Summary
# A Type Filter Rules M m n
- - ---- --------------------------------------------------------------- - - -
1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F
2 N
3 N
4 N
5 N
6 N
Enter Filter Rule Number (1-6) to Configure: 1
This shows you that you have configured and activated (A =
Y) a TCP/IP filter rule (Type =
IP, Pr = 6) for destination telnet ports (DP = 23).
M = N means an action can be taken immediately. The action is to drop the packet (m = D) if the action is matched and to forward the packet immediately (n = F) if the action is not matched no matter whether there are more rules to be checked (there are not in this example).
Figure 6-8 Example Filter Rules Summary – Menu 21.1.3
After you have created the filter set, you must apply it.
Step 1. Enter 11 from the main menu to go to Menu 11.
Step 2. Go to the Edit Filter Sets field, press [space bar] to toggle Yes to No and press the [Enter] key.
Step 3. This brings you to Menu 11.5. Apply the TELNET_WAN filter set (filter set 3) as shown in
Figure 6-10.
Filters 6-15
Prestige 100L IDSL Router
6.4 Applying a Filter and Factory Defaults
This section shows you where to apply the filter(s) after you designed it (them). Three sets of factory default filter rules have been configured in Menu 21 to prevent NetBIOS traffic from triggering calls and to prevent incoming telnetting.
6.4.1 Ethernet Traffic
You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to Menu 3.1 (shown below) and enter the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming traffic to the
Prestige and Output filter sets filter outgoing traffic from the Prestige. The factory default set,
NetBIOS_LAN, is inserted in protocol filters field under Input Filter Sets in Menu 3.1 to block NetBIOS traffic to the Prestige from the LAN.
Menu 3.1 – General Ethernet Setup
Input Filter Sets:
protocol filters= 2
device filters=
Output Filter Sets:
Protocol filters=
device filters=
Press ENTER to Confirm or ESC to Cancel:
Factory
Default
Filter
Figure 6-9 Filtering Ethernet Traffic
6.4.2 Remote Node Filters
Go to Menu 11.5 (shown below) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas. The factory default filter set,
NetBIOS_WAN, is inserted in the protocol filters field under Call Filter Sets in Menu 11.5 to block local
NetBIOS traffic from triggering calls to the ISP. Filter set three, Telnet_WAN, blocks telnet connections from the WAN Port to help prevent security breaches. When you cannot connect using telnet service from the WAN Port, you can disable the telnet filter in Menu 4.1.
6-16 Filters
Filters
Menu 11.5 - Remote Node Filter
Input Filter Sets:
protocol filters=
device filters=
Output Filter Sets:
protocol filters=
device filters=
Figure 6-10 Filtering Remote Node Traffic
Prestige 100L IDSL Router
6-17

Public link updated
The public link to your chat has been updated.
Advertisement
Key features
- IDSL support (up to 128 kbps)
- Integrated 4-port Ethernet hub
- PPP security (PAP, CHAP)
- DHCP for automatic IP address assignment
- Data compression (Stac)
- Single User Account (SUA) for multiple users
- SNMP network management support
- Telnet configuration and capabilities
- Firmware upgrade via LAN