[Top] [Prev] [Next] [Bottom]

Using Dynamic IP Filters

This document describes dynamic IP filters and how to set them up. It also provides information on entering filter commands. It includes the following sections:

Introducing Dynamic IP Filters

Entering IP Filtering Commands

Introducing Dynamic IP Filters

IP filters start by blocking all traffic. You then create a collection of filters to allow specific traffic based on your organization's security policy.

A unique feature of IP dynamic filters is that the filters can dynamically allow access to specific network resources on a session-by-session basis. These dynamic filters can apply to individual users, workgroups, departments, branch offices, or all users. In this document, the process of dynamic IP filtering is referred to as GTSecure.

When you use IP filters with user authentication schemes, you can grant special access privileges to specific users from remote sites. For example, a user who is temporarily away from the office can dial in from a different host and go through an authentication process. Once the user is authenticated, GTSecure installs the filters that you have already set up for that user.

You can also allow internal clients to access services outside your corporate network and create filters that the software installs automatically to allow responses back in to your corporate network.

Once you set up your filters, you can test and troubleshoot them using Event Logging System (ELS) messages. You can also set up filters to generate ELS messages.

Profile Overview

A profile implements a policy that controls access to your network. You can set up profiles to provide access to specific resources in a private network for a user or group of users. You can also set up profiles that let users inside your private network have access to public networks, while keeping your private network secure.

There are two types of profiles:

Static profiles are profiles that you associate with an interface. The interface consults the filters in its associated profiles on each incoming and outgoing packet.

You can associate a profile with multiple interfaces, letting you easily use a profile on a router with many interfaces.
Dynamic profiles are profiles that the software installs when a user is authenticated. In such cases, the authenticator may supply information to complete certain address components of filters in the profile. For example, a filter can include a source address that the authenticator fills in with the user's actual IP address.

You can set timeout values for dynamic profiles. See the add profile command.

Filter Overview

A profile contains a collection of filters. A filter has attributes that describe the types of packets it recognizes, and it takes action when it recognizes a packet.

Filters can contain still more filters. When a filter contains other filters, it is called a parent filter and the filters it contains are called child filters.

Like profiles, there are two types of filters:

Static filters are filters that the software installs when it installs a profile.
Dynamic filters are copies of child filters that the software installs into the running system. When a parent filter recognizes a packet, it installs copies of its child filters. This is in addition to the other actions defined for the parent filter.

When a parent filter installs a child filter, the parent may replace certain components of the child filter, such as addresses, with values from the recognized packet. Such parent and child groups are what makes the system dynamic. The filtering system, by monitoring data flows, can modify itself and dynamically learn what it should be doing from moment to moment.

GTSecure compares packets to filters and profiles in the following order:

: 1. Dynamic filters, which are copies of child filters that parent filters have installed into the running system.
: 2. Dynamic profiles, which the software installs when a user is authenticated.
: 3. Static profiles, which are profiles that you attach to an interface.

Filter Properties

A filter includes various properties that are grouped as follows:

Table 1 Properties of a Filter

Group Description

Pattern Matchers Determine which packets the filter recognizes.

Idle Timer Removes the filter when the timer expires.

Actions Cause a filter to pass, block, or ignore the packet, edit the DF bit in the packet, generate ELS messages, install more filters, or remove itself.

Table 1 Properties of a Filter
Group	Description
Pattern Matchers	Determine which packets the filter recognizes.
Idle Timer	Removes the filter when the timer expires.
Actions	Cause a filter to pass, block, or ignore the packet, edit the DF bit in the packet, generate ELS messages, install more filters, or remove itself.

Pattern Matchers

All filters can have the following pattern matching properties:

Table 2 Pattern Matchers

Property Description

Direction Sets the direction of the filter on the interface. You can filter inbound packets, outbound packets, or set up one filter to cover both inbound and outbound packets.

Packet Type Filters with the protocol set to TCP or ICMP can specify the packet type, which allows matching a specific type of packet, for example, a TCP Syn (connect request).

Protocol Allows matching a specific protocol.

Source and Destination Address Matches IP addresses and masks. You can

Add multiple source and destination addresses, making it possible, for example, to create a single filter to pass packets destined for HostA, HostC, and HostX.

Add a range of source or destination addresses, allowing you to create a filter for a subnet or for a group of hosts within a range of addresses.

Set up the filter to copy the actual IP address of the authenticated user.

Set up child filters to copy the destination or source address from the packet that the parent recognized.

Source and Destination Port Filters with the protocol set to TCP or UDP can include source and destination ports. You can

Add multiple source and destination ports. For example, you can create a single filter that passes FTP, Telnet, and HTTP traffic. Combined with the list of addresses, you can create a filter that passes FTP, Telnet, and HTTP to HostA, HostC, or HostX.

Set up child filters to copy the source or destination port from the packet that the parent recognized.

Table 2 Pattern Matchers
Property	Description
Direction	Sets the direction of the filter on the interface. You can filter inbound packets, outbound packets, or set up one filter to cover both inbound and outbound packets.
Packet Type	Filters with the protocol set to TCP or ICMP can specify the packet type, which allows matching a specific type of packet, for example, a TCP Syn (connect request).
Protocol	Allows matching a specific protocol.
Source and Destination Address	Matches IP addresses and masks. You can Add multiple source and destination addresses, making it possible, for example, to create a single filter to pass packets destined for HostA, HostC, and HostX. Add a range of source or destination addresses, allowing you to create a filter for a subnet or for a group of hosts within a range of addresses. Set up the filter to copy the actual IP address of the authenticated user. Set up child filters to copy the destination or source address from the packet that the parent recognized.
Source and Destination Port	Filters with the protocol set to TCP or UDP can include source and destination ports. You can Add multiple source and destination ports. For example, you can create a single filter that passes FTP, Telnet, and HTTP traffic. Combined with the list of addresses, you can create a filter that passes FTP, Telnet, and HTTP to HostA, HostC, or HostX. Set up child filters to copy the source or destination port from the packet that the parent recognized.

Idle Timer

A child filter can have an idle timeout associated with it. If the filter does not recognize a packet within a specified interval, it deletes itself.

Actions

A filter has components that specify what the filter does upon recognizing a packet.

Table 3 Actions

Property Description

Action Causes the filter to pass, block, or ignore the packet.

Delete Causes a dynamic filter to delete itself from the runtime filter list. This does not delete the filter from the configuration database.

Edit Causes the filter to edit a packet. The DF bit override is the only editing action available for IP filters.

ELS Event Causes the filter to generate an ELS event. There are ten user-defined events set aside for IP filters.

Table 3 Actions
Property	Description
Action	Causes the filter to pass, block, or ignore the packet.
Delete	Causes a dynamic filter to delete itself from the runtime filter list. This does not delete the filter from the configuration database.
Edit	Causes the filter to edit a packet. The DF bit override is the only editing action available for IP filters.
ELS Event	Causes the filter to generate an ELS event. There are ten user-defined events set aside for IP filters.

Entering IP Filtering Commands

IP Filtering Prompts

IP filtering commands are available at the IP Filters Config> prompt and the IP Filters> prompt. This section explains the differences between these two prompts.

At the IP Filters Config> prompt, changes that you make to the filter configuration are saved in the router's configuration memory. These changes do not take effect until you restart the router.

Display the IP Filters Config> prompt as follows:

*config

Config>PROTOCOL ip
Internet protocol user configuration

IP config>FILTERS

IP Filters Config>

At the IP Filters> prompt, changes that you make to the filter configuration take effect immediately. Unless you explicitly save your changes using the save command, they are not saved when you restart the router.

Display the IP Filters> prompt as follows:

*monitor

Monitor>protocol ip

IP>filters

IP Filters>

Entering Profile and Filter Names

Use the following rules as you enter profile and filter names:

Names are not case sensitive, but the software displays the case as you entered it.
Names that you enter without double quotation marks can consist of any printable character except a hyphen, space, tab, period, question mark, asterisk, comma, or double quotation marks.
Names that you enclose in double quotation marks can include any printable character except a tab, question mark, or double quotation marks.
Specify names by entering the profile name followed by the filter name. Enter child filter names after the parent filter name. When you enter a filter name, you must first specify the profile name and, if applicable, the parent filter name. Separate the names using a period. For example:
```
IP Filter Config>add filter Firewall.Client.WEB 
```
In this example, Firewall is the profile name, Client is the filter name, and WEB is the child filter name.

Configuring IP Filters

This section shows the basic steps to create an IP filter. For more information on each command, see IP Filter Commands. For detailed examples of creating IP filters, see Creating a Network Security Firewall.

1. Display either the IP Filters Config> prompt or the IP Filters> prompt as described in IP Filtering Prompts. This example uses the IP Filters Config> prompt.

2. Create a profile and optionally set timeout properties.

IP Filters Config>add profile firewall

IP Filters Config>add profile ftp exp=7200 idle=600

3. To make a profile static, attach it to an interface.

IP Filters Config>set interface 1 profile=firewall

Note: Attaching empty profiles to an interface blocks all activity until you add filters that allow specific traffic.

4. To reduce keystrokes, use the scope command. This command causes all subsequent commands to apply to the profile or filter on which you are working.

IP Filters Config>scope firewall
IP Filters Config firewall>

5. Add a filter to the profile and set properties.

IP Filters Config firewall>add filter webout dir=out source=162.2.0.2

6. While you are building a filter, you can list it to see its current properties.

IP Filters Config firewall>list filter webout
Listing Filters
Name             Dir  Address            Port          Protocol    Idle
                                                             Action
-----------------------------------------------------------------------
webout           Out  sa=162.2.0.2                     Any  Pass   Off

7. Using the set filter command, you can change or add to a filter's properties, as needed.

IP Filters Config firewall>set filter webout sport=HTTP
IP Filters Config firewall>list filter webout
Listing Filters
Name               Dir  Address          Port          Protocol    Idle
                                                              Action
-----------------------------------------------------------------------
webout             Out  sa=162.2.0.2    sp=HTTP(80)   TCP  Pass   Off

8. If you scoped a profile or filter, use unscope to return to the previous prompt.

IP Filters Config firewall>unscope
IP Filters Config>

9. If you set up the filters at the configuration prompt, restart the router for your configuration to take effect.

IP Filters Config>exit
IP config>exit
Config> CTRL P
*restart

If you set up the filters at the monitoring prompt, the filters take effect immediately. Use the save command to make the changes permanent.

IP Filters>save

IP Filter Commands

Table 4 describes the filter commands. Press the space bar after you type a command to display the available options for each command.

See Entering IP Filtering Commands for instructions on entering profile and filter names.

[C] means the command is available at the IP Filters Config> prompt.

[M] means the command is available at the IP Filters> prompt.

Table 4 IP Filter Commands

Command Function

Add Filter [C] [M] Creates a new filter.

Add Profile [C] [M] Creates a new profile.

Delete Filter [C] [M] Removes the specified filter from the configuration.

Delete Profile [C] [M] Removes the specified profile from the configuration.

Install Profile [M] Manually installs dynamic profiles.

List Attached [C] [M] Displays the profiles that are attached to each interface or to a specific interface.

List Filter [C] [M] Displays filters and their properties. You can display all filters, all filters in a profile, or all filters under a parent filter.

List Interface [C] [M] Displays the profiles that are attached to each interface followed by a list of filters attached to each interface. Also displays profiles and filters attached to a specific interface.

List Profile [C] [M] Displays all profiles and their properties or a specific profile and its properties.

Rename Filter [C] [M] Changes the name of a filter.

Rename Profile [C] [M] Changes the name of a profile.

Revert [M] Restores current configuration from permanent memory.

Save [M] Saves current (running) configuration to permanent memory.

Scope [C] [M] Applies subsequent commands to the specified profile or filter, eliminating the need to retype the profile or parent filter name when you are working on a filter.

Set Filter [C] [M] Changes or adds to the parameters of a filter. Uses the same options as add filter.

Set Interface [C] [M] Statically attaches profiles to an interface or detaches profiles from an interface.

Set Profile [C] [M] Changes or adds to the parameters of a profile. Uses the same options as add profile.

Status [M] Shows runtime status of installed dynamic profiles and dynamic filters.

Unscope [C] [M] Reverts the scope to the previous scope.

Exit [C] [M] Returns to the previous prompt.

Table 4 IP Filter Commands
Command	Function
Add Filter [C] [M]	Creates a new filter.
Add Profile [C] [M]	Creates a new profile.
Delete Filter [C] [M]	Removes the specified filter from the configuration.
Delete Profile [C] [M]	Removes the specified profile from the configuration.
Install Profile [M]	Manually installs dynamic profiles.
List Attached [C] [M]	Displays the profiles that are attached to each interface or to a specific interface.
List Filter [C] [M]	Displays filters and their properties. You can display all filters, all filters in a profile, or all filters under a parent filter.
List Interface [C] [M]	Displays the profiles that are attached to each interface followed by a list of filters attached to each interface. Also displays profiles and filters attached to a specific interface.
List Profile [C] [M]	Displays all profiles and their properties or a specific profile and its properties.
Rename Filter [C] [M]	Changes the name of a filter.
Rename Profile [C] [M]	Changes the name of a profile.
Revert [M]	Restores current configuration from permanent memory.
Save [M]	Saves current (running) configuration to permanent memory.
Scope [C] [M]	Applies subsequent commands to the specified profile or filter, eliminating the need to retype the profile or parent filter name when you are working on a filter.
Set Filter [C] [M]	Changes or adds to the parameters of a filter. Uses the same options as add filter.
Set Interface [C] [M]	Statically attaches profiles to an interface or detaches profiles from an interface.
Set Profile [C] [M]	Changes or adds to the parameters of a profile. Uses the same options as add profile.
Status [M]	Shows runtime status of installed dynamic profiles and dynamic filters.
Unscope [C] [M]	Reverts the scope to the previous scope.
Exit [C] [M]	Returns to the previous prompt.

Add Filter [C] [M]

Creates a new filter and lets you assign properties to the filter. You can change or add to these properties later using the set filter command. The add filter and set filter commands use the same options.

You can add one or more filters to a profile and one or more child filters to a filter. See Entering Profile and Filter Names for instructions on entering profile and filter names. Use the scope command to add filters without retyping the profile or parent filter name in each entry.

Syntax: add filter profilename.filtername

Example: add filter External.client

Add child filters by entering the profile name followed by the name of the parent filter followed by the name of the child filter. Use periods to separate each name.

Syntax: add filter profilename.filtername.child-filtername

Example: add filter tftp.out.client

You can use the following filter options with either the add filter command or the set filter command. You can enter the options in almost any order, with some exceptions. For example, you cannot specify the packet type until the software identifies the protocol. These requirements are noted where relevant.

action

Defines the action that the filter takes when it recognizes a packet.

Parent filters always install child filters regardless of whether the parent filter passes, blocks, or ignores the packet.

The default is pass.

Syntax: action=

pass
block
ignore

Example: add filter tftp.client action=block

Entry Description

pass Forwards the packet and does not compare the packet to any other filters.

block Drops the packet and does not compare the packet to any other filters.

ignore Does not make a decision about passing or blocking the packet. The software continues to compare the packet to other filters in the profile. This option is useful for filters that generate ELS messages.

Entry	Description
pass	Forwards the packet and does not compare the packet to any other filters.
block	Drops the packet and does not compare the packet to any other filters.
ignore	Does not make a decision about passing or blocking the packet. The software continues to compare the packet to other filters in the profile. This option is useful for filters that generate ELS messages.

after

Specifies the position of the filter within the profile or parent filter. You can place the filter after a specific filter in the list or at the end of the list.

As the default, the software adds new filters to the end of the list.

Syntax: after=

filtername
*


Entry	Description
filtername	Places the filter after this filter.
*	Places the filter at the end of the list.

The following example results in the list client1, client4, client3, client2:

Example:

add profile external
scope external
add filter client1
add filter client2
add filter client3
add filter client4 after=client1
set filter client2 after=*
list filter

Listing Filters
Name                Dir  Address            Port          Protocol    Idle
                                                               Action
---------------------------------------------------------------------------
client1             In                                    Any  Pass   Off
client4             In                                    Any  Pass   Off
client3             In                                    Any  Pass   Off
client2             In                                    Any  Pass   Off

before

Specifies the position of the filter within the profile or parent filter. You can place the filter before a specific filter in the list or at the beginning of the list.

As the default, the software adds new filters to the end of the list.

Syntax: before=

filtername
*


Entry	Description
filtername	Places the filter before this filter.
*	Places the filter at the beginning of the list. If the filter is a child filter, this option moves the child filter to the beginning of the list of associated child filters.

The following example results in the list client4, client1, client3, client2:

Example:

add profile firewall
scope firewall
add filter client1
add filter client2
add filter client3
add filter client4 before=*
set filter client3 before=client2
list filter

Listing Filters
Name                Dir  Address            Port          Protocol    Idle
                                                               Action
---------------------------------------------------------------------------
client4             In                                    Any  Pass   Off
client1             In                                    Any  Pass   Off
client3             In                                    Any  Pass   Off
client2             In                                    Any  Pass   Off

delete

Causes a dynamic filter to uninstall itself after recognizing a packet and installing any child filters. This option applies only to child filters that have been dynamically installed in the running system. The filter removes itself from the runtime filter list, not from the configuration database. The default is off.

This is a special action that is useful to create one-time filters that install child filters. It is also useful for filters that are needed only for a single packet. For example, if you want to accept an inbound RADIUS message only if a corresponding outbound RADIUS request was just made, you could create parent and child filters as follows:

IP Filters Config>add filter open.radout dir=out protocol=udp dp=1645
IP Filters Config>add filter open.radout.response dir=in source=dest dest=source sport=dport dport=sport delete=on

Syntax: delete=

on
off

Example: add filter allow.ftpclient.in delete=on

destination or da or dst

Replaces, adds, or removes one or more destination addresses.

You can specify one address, a range of addresses, or a list of addresses. If you do not specify a mask, the software uses a default mask.

You can configure a single filter to screen packets sent to multiple destinations. For example, you can set up a filter to pass packets destined for HostA, HostC, and HostX.

Enter . . . To . . .

destination= Replace existing destination addresses.

destination+= Add one or more destination addresses.

destination-= Remove one or more destination addresses.

Enter . . .	To . . .
destination=	Replace existing destination addresses.
destination+=	Add one or more destination addresses.
destination-=	Remove one or more destination addresses.

destination=ipaddress
ipaddress&mask
ipaddress-ipaddress
ipaddress-ipaddress&mask
list
source
destination
authenticator


Entry	Description
ipaddress	One address with a default mask of 255.255.255.255.
ipaddress&mask	One address and a mask.
ipaddress-ipaddress	A range of addresses with a default mask of 255.255.255.255.
ipaddress-ipaddress&mask	A range of addresses and a mask.
list	Any of the above in a comma-separated list. For example: 128.185.50.0,128.185.55.0,128.185.27.2
source (sa)	Applies only to child filters. When the parent filter recognizes a packet and installs the child filter, the software fills in the destination address with the source address (sa) of the packet that the parent recognized.
destination (da)	Applies only to child filters. When the parent filter recognizes a packet and installs the child filter, the software fills in the destination address with the destination address (da) of the packet that the parent recognized.
authenticator	Causes the authenticator to fill in the destination address with the user's actual IP address. Applies only to dynamic profiles.

Example: add filter External_Client.out dest=128.185.22.0- 128.185.25.0&255.255.255.0

Example: add filter External_Client.in dest=authenticator

DFbit

Sets the DF bit to zero (off) or one (on) or ignores the state of the bit, leaving it untouched. Combining the DF bit filter override option with filters that recognize patterns allows a network administrator great flexibility in solving DF bit related problems (see Creating Filters that Override the DF Bit in IP Packets). The default value is to ignore the DF bit.

To configure the DF bit override filter, set the DFbit option to on, off, or ignore.

Syntax: DFbit=

on
off
ignore


Entry	Description
on	Sets the DF bit, preventing fragmentation of oversized packets.
off	Turns off the DF bit, allowing fragmentation of oversized packets.
ignore	Ignores the state of the DF bit in each packet, leaving it untouched.

Example: add filter firewall.webOutDFfilter dport=80 DFbit=off action=ignore

Some web browsers set the DF bit by default. When a browser accesses a web server on the far side of an IPSEC tunnel, the IPSEC overhead may increase the size of packets to the point where they need to be fragmented in order to enter the IPSEC tunnel. This example creates a filter that recognizes web traffic by its destination port number, 80, and forces its DF bit to off.

Example: add filter firewall.webInDFfilter sport=80 DFbit=off action=ignore

This example turns the DF bit off in traffic returning from the web server to the browser.

direction or dir

Specifies the direction of the traffic to which the filter applies.

The default direction for a newly added child filter is the opposite of the parent filter. Once the software installs a child filter into the running system, the direction of the child filter does not change, even if you change the parent filter's direction. The default for static filters is in.

When you have complementary filters, you can set up one filter that applies to both incoming and outgoing packets. Two filters are complementary if they are identical except that one is for inbound packets and one is for outbound packets and that source and destination addresses and ports, if any, of the inbound filter are the same, but reversed, in the outbound filter.

Keep the following in mind when you create a filter to work in both directions:

When you add properties that relate to a packet's direction, such as source and destination addresses or ports or certain ICMP packet types, enter the information as it relates to inbound packets.
When the software applies the filter to outgoing packets, it switches the source and destination information before it applies the filter.
When you create a filter that handles ICMP echo request and echo reply packet types, the software assumes that you want the opposite packet type in the outbound direction. This is unique to ICMP packet types.

For example, the following filter allows ICMP echo replies in to network 162.1.0.0 and echo requests out from network 162.1.0.0. This means that users on network 162.1.0.0 can run Ping from network 162.1.0.0 to addresses outside a firewall, but users outside the firewall cannot run Ping in to network 162.1.0.0.

IP Filters Config>add filter allow.ping dir=both source=162.1.0.0&255.0.0.0 protocol=icmp ptype=echo reply

When the software compares this filter to outgoing packets, it looks for a destination address of 162.1.0.0&255.0.0.0 and a packet type of echo request.

Syntax: direction=

in
out
both


Entry	Description
in	Recognizes inbound traffic.
out	Recognizes outbound traffic.
both	Recognizes both inbound and outbound traffic.

Example: add filter Internal.Response direction=in

dport or dp

Replaces, adds, or deletes one or more destination ports for the filter to recognize. You can set ports only for TCP and UDP protocols. You cannot mix TCP and UDP ports in the same filter.

To specify a port, enter the port name or port number. The software recognizes certain well-known ports that you can enter by their name. Enter dport= ? to see a list of well-known port names.

If you enter a

Port number, you must first set the protocol to TCP or UDP.
Well-known port name, the software automatically sets the protocol correctly. However, if you enter a well-known port name that can apply to either TCP or UDP, such as DNS, ECHO, or NTP, you must first set the protocol to TCP or UDP.

Note: The following examples of entering destination ports are correct because the software recognizes HTTP as a TCP port and immediately sets the protocol to TCP.
```
   dport=http,dns
   dport=http,20-21
```


Enter . . .	To . . .
dport=	Replace existing destination ports.
dport+=	Add one or more destination ports.
dport-=	Remove one or more destination ports.

Syntax: dport=

name
number
number-number
list
transient
dport
sport


Entry	Description
name	The name of a well-known port.
number	One port number.
number-number	A range of port numbers.
list	A list of port names, numbers, or ranges of port numbers in a comma-separated list.
transient	A port number that is temporarily assigned to a client application. Some protocols, such as FTP and TFTP, use transient ports to establish connections between servers.
dport	Applies only to child filters. Copies the destination port number from the packet that the parent filter recognized.
sport	Applies only to child filters. Copies the source port number from the packet that the parent filter recognized.

The following examples show how to enter destination ports using well-known port names or numbers. All examples have the same result. Remember, if you enter only port numbers, you need to identify the protocol first.

Example: add filter internal.client dport=ftp,telnet,smtp

Example: add filter internal.client dport=ftp,23,25

Example: add filter internal.client protocol=tcp dport=20-21,23,25

elsevent or els

Causes the filter to generate an ELS event when it recognizes a packet. Use this option to log specific network activity and to test filters to see if they are working as you expected. You can customize 10 ELS event types (1-10) for IP filters. You can assign an ELS event number to more than one filter.

The elstext option, described below, lets you add text that appears with the ELS message.

For instructions on how to display ELS messages, see Testing and Troubleshooting IP Filters.

Syntax: elsevent=

1 through 10
on
off


Entry	Description
1 through 10	Assign a number to the ELS event. When you display these events, they correspond to ELS messages FLT.11 through FLT.20. You can assign an ELS event number to more than one filter.
on	Turns on the custom ELS events for this filter.
off	Turns off the custom ELS events for this filter. Setting elsevent to 0 also turns off the custom ELS events.

Example: add filter external.in elsevent=8

elstext

When you set up a filter to generate an ELS message, you can include text to describe the event.

You can use the following variables in the text. When the software generates an ELS message, it substitutes the variable with the actual information.

%a
Source Address

%A
Destination Address

%p
Source Port

%P
Destination Port

%d
Direction

%r
Protocol

%t
Packet Type

%a	Source Address
%A	Destination Address
%p	Source Port
%P	Destination Port
%d	Direction
%r	Protocol
%t	Packet Type

Be sure to put double quotation marks around the text.

Syntax: elstext="text"

Example: add filter external.in elsevent=8 elstext= "packet from %a going to %A blocked"

When this filter recognizes a packet, it generates a message similar to this:

FLT.018 IPDF-8 packet from 128.185.22.2 going to 162.1.1.8 blocked

idle

Limits how long a dynamic filter can remain installed without recognizing any packets. When a filter opens a security hole, it is advisable to remove the filter when you no longer need it. If the filter does not recognize a packet within this time period, the filter uninstalls.

Setting the idle timeout to zero (0) turns off the idle timeout. Setting the idle timeout to a nonzero value turns on the idle timeout. You can also turn the idle timeout on or off without changing the set value. The default is off.

Syntax: idle=

#-of-seconds
on
off


Entry	Description
#-of-seconds	Number of seconds a dynamic filter can remain installed without recognizing any packets.
on	Turns on the idle timer.
off	Turns off the idle timer.

Example: add filter tftp.response.out idle=60

issize

Sets the filter to detect packets of a specific size, where the size is a single number or a range of numbers (#bytes-#bytes) that expresses the length of the packet in bytes. Possible values for #bytes are in the range of 0 to 65,535. If you set the value to 0, the issize recognizer is removed from the filter, in effect turning issize off.

You can use the packet size recognizer in combination with a tag to classify a packet. The size recognizer is also useful with policy routing (see Using Policy Routing to select an egress interface based upon packet size or to give priority treatment to small packets.

Syntax: issize=size

Example: add filter myprofile.small issize = 1-80 tag=10 action=ignore

istod

Sets the filter to detect the time of day for a packet. The filter actually looks at the current time of day on the router when the packet is forwarded, rather than looking in the packet.

You enter a start time and an end time of the form hours:minutes:seconds, and only hours are required. Hours is a number in the range 0 through 23. Minutes is a number in the range 0 through 59, and seconds is a number in the range 0 through 59. If you set the value to 0 (not 00:00:00), the istod recognizer is removed from the filter, in effect turning it off.

You can use this filter with a tag to classify a packet, or you can use it with other recognizers to discard and pass packets based upon time of forwarding.

Syntax: istod=start_tod - end_tod

Example: add filter myprofile.offpeak istod=17:00:00-8:00:00 sa=192.168.1.1 action=block

Example: add filter myprofile.onpeak istod=8-17 tag=13 action=ignore

istag

Sets the filter to detect packets that the filter software tagged. See tag. You can enter a tag number between 0 (zero) and 64.

Syntax: istag=number

Example: add filter External.Client istag=12

protocol

Sets the filter to recognize certain protocols.

The software recognizes certain well-known protocols that you can enter by name. Enter protocol=? to see a list of well-known protocol names. You can also enter a protocol number or any, to recognize all protocols. You cannot enter a range of numbers or a list of comma-separated names or numbers.

If a filter has any source or destination ports defined, you cannot change the protocol.

By default, the software creates child filters with the same protocol(s) as specified in the parent.

Syntax: protocol=

name
number
any


Entry	Description
name	The name of a well-known protocol.
number	A protocol number.
any	Recognizes any protocol.

Example: add filter firewall.ftpclient protocol=tcp

ptype or pt

For TCP or ICMP protocols, specifies the type of packet for the filter to recognize. The software must identify the protocol before you set the packet type. You cannot set a packet type if you set the protocol to any.

To see a list of packet types available for the protocol specified in a filter, enter ptype=?. For example, enter the following to see TCP packet types:

IP Filters Config>add filter webaccess protocol=tcp ptype= ?
 Matches the packet type.
The choices/prefixes are (a complete list):
 Any
 DAT
 ACK
 ACK*
 FIN
 FIN+ACK
 PSH+ACK
 RST
 SYN
 SYN+ACK

Note: The packet type ACK* recognizes an acknowledgment packet plus any other type of TCP packet.

To see ICMP packet types, enter the following:

IP Filters Config>add filter allow.ping protocol=icmp ptype= ?
 Matches the packet type.
The choices/prefixes are (a complete list):
 Any
 Addr Mask Request
 Addr Mask Reply
 Dest Unreachable
 Echo Request
 Echo Reply
 Parameter Problem
 Ping
 Redirect
 Source Quench
 Time Exceeded
 Timestamp Request
 Timestamp Reply

Note: Ping is a special packet type that recognizes both Echo Request and Echo Reply packets.

Syntax: ptype=

packettype
any


Entry	Description
packettype	Enter a specific packet type.
any	Recognizes any packet type.

Example: add filter internal.user protocol=icmp ptype=ping

source or src or sa

Replaces, adds, or removes one or more source addresses. You can specify one address, a range of addresses, or a list of addresses. Each address includes either a default mask or a user-specified mask.


Enter . . .	To . . .
source=	Replace existing source addresses.
source+=	Add one or more source addresses.
source-=	Remove one or more source addresses.

See the destination option for more information on how to enter addresses.

Syntax: source=

ipaddress
ipaddress&mask
ipaddress-ipaddress
ipaddress-ipaddress&mask
list
source
destination
authenticator

Example: add filter External_Client.in source=128.185.22.0- 128.185.25.0&255.255.255.0

Example: add filter External_Client.out source=destination

sport or sp

Replaces, adds, or removes one or more source ports for the filter to recognize. See the dport option for information on entering ports.


Enter . . .	To . . .
sport=	Replace existing source ports.
sport+=	Add one or more source ports.
sport-=	Remove one or more source ports.

Syntax: sport=

name
number
number-number
list
transient
sport
dport

Example: add filter External.Client sport=transient

tag

Tags packets that match this filter. You can set up filters that tag certain types of packets and then prioritize the packets in Bandwidth Reservation System (BRS) using these tags. During times when traffic exceeds network capacity, the router sends the highest priority packets first. Tagging and prioritizing packets gives you control over which packets the router is most likely to transmit when there are requests for more than 100% of the networks bandwidth.

Another use for tags is with Ethernet Quality of Service when you wish to tag IP traffic on Ethernet interfaces with priority and virtual LAN information. Based on the Differentiated Services Code Point (DSCP) field in the header of an IP packet, Ethernet QOS works together with other QOS features (such as IP filtering and BRS) to support interoperability with 802.1-compliant switches (see Using Ethernet Quality of Service (EQOS) Mapping)

You can also have a filter that tags certain types of packets and then have filters that look for packets that have a specific tag. To do so, use the istag option.

You can assign tag numbers from 0 (zero) to 64. If you set tag=0, the router does not tag packets that match this filter.

Syntax: tag=number

Example: add filter External.Client tag=12

Add Profile [C] [M]

Creates a new profile and lets you assign properties to the profile. You can change or add to these properties later using the set profile command. The add profile and set profile commands use the same options.

For instructions on entering profile names, see Entering Profile and Filter Names.

Syntax: add profile profilename

Example: add profile webaccess

Use the following options to set profile expiration and idle timers. These timers apply only to dynamically installed profiles. If you set them for static profiles that you attach to interfaces using the set interface command, the software ignores them.

expiration

Limits how long dynamically installed profiles can remain installed. This timer begins when the software installs the profile. When this timer expires, the software uninstalls the profile. To re-install the profile, the user must authenticate again.

Notes:

If a user authenticates again before the profile expires, the software resets the expiration timer. Therefore, a user who knows that their authorized period is limited can authenticate again before the expiration in order to extend the time without losing access.
Changing the expiration timer at the at the IP Filters> monitoring prompt affects profiles that are already installed. For example, if the software installed a profile three hours ago and you set an expiration of one hour, the profile expires immediately. Similarly, increasing the expiration time increases the amount of time that an installed profile remains installed.

Setting the expiration to zero (0) turns off the expiration timer. Setting the expiration to a nonzero value turns on the expiration timer. You can also turn the expiration timer on or off without affecting the set value. The default is off.

Syntax: expiration=

#-of-seconds
on
off


Entry	Description
#-of-seconds	Number of seconds that a dynamically installed profile can remain installed.
on	Turns on the expiration timer.
off	Turns off the expiration timer.

Example: add profile ftpclient expiration=7200

Adds a profile called ftpclient with an expiration time of two hours (7200 seconds).

idle

Limits how long a dynamically installed profile can remain installed without one of its filters recognizing a packet. If the filters in this profile do not recognize a packet within this time period, the software uninstalls the profile. To re-install the profile, the user must authenticate again.

Note: Changing the idle timer at the IP Filters> monitoring prompt affects profiles that are already installed. For example, if the software installed a profile three hours ago and you set an expiration of one hour, the profile expires immediately. Similarly, increasing the expiration time increases the amount of time that an installed profile remains installed.

Syntax: idle=

#-of-seconds
on
off


Entry	Description
#-of-seconds	Number of seconds that a dynamic profile can remain installed without recognizing any packets.
on	Turns on the idle timer.
off	Turns off the idle timer.

Example: add profile webaccess idle=60

Adds a profile called webaccess and sets the profile idle timeout to 60 seconds.

keepalive

Some TCP implementations send zero-length packets (known as keepalives) to keep a session open even if the user is not doing anything. Use this option to specify whether or not TCP keepalive packets are sufficient to refresh the idle timeout. The default is off.

Syntax: keepalive=

on
off


Entry	Description
on	Turns on the keepalive option.
off	Turns off the keepalive option.

Example: add profile SalesUser idle=60 keepalive=on

Adds a profile called SalesUser and sets the profile idle timeout to 60 seconds and turns on the idle keepalive.

Delete Filter [C] [M]

Deletes a filter and automatically uninstalls it. If the filter has child filters, this command also deletes and uninstalls the child filters.

Syntax: delete filter profilename.filtername

Example: delete filter Inbound.user1

Delete Profile [C] [M]

Deletes and automatically uninstalls the profile and any filters in the profile.

Syntax: delete profile profilename

Example: delete profile Client_In

Install Profile [M]

Allows you to install a dynamic profile for a user who has lost their authentication device or who cannot authenticate for some other reason.

Syntax: install profile profilename interface=interface#
user=username address=IPaddress

Example: install profile ExternalUser interface=1 user=Peter address=50.12.32.2

List Attached [C] [M]

Displays a list of the profiles that are attached to an interface. You can also list the profiles that are attached to a specific interface by including the interface number.

Syntax: list attached

Example: list attached

Listing Interface Information

Interface   Attached Profiles
--------------------------------
1           firewall1
2           firewall2

Example: list attached 2

Listing Interface Information

Interface   Attached Profiles
--------------------------------
2           firewall2

List Filter [C] [M]

Displays all filters, a specific filter, all filters in a profile, or all filters under a parent filter.

If the direction of a filter is both, this command displays an "i" next to properties that relate to a packet's direction to show that the displayed information is for inbound packets.

Syntax: list filter

Example: list filter

Listing Filters
Name                 Dir  Address            Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
firewall.webaccess   Both  ida=1.1.1.1       idp=HTTP(80)  TCP  Pass   Off
allow.icout          Out                     sp=transient  TCP  Pass   Off
allow.icout.resp     In    sa=destination    sp=dport      TCP  Pass   300
                           da=source         dp=sport

Example: list filter firewall

Listing Filters
Name                 Dir  Address            Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
webaccess            Both  ida=1.1.1.1       idp=HTTP(80)  TCP  Pass   Off
icout                Out                     sp=transient  TCP  Pass   Off
icout.resp           In    sa=destination    sp=dport      TCP  Pass   300
                           da=source         dp=sport

Example: list filter firewall.webaccess

Listing Filters
Name                 Dir  Address           Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
webaccess            Both  isa=1.1.1.1      isp=HTTP(80)  TCP  Pass   Off

List Interface [C] [M]

Displays a list of the profiles that are attached to each interface, followed by the filters that are attached to each interface. You can also list the profiles and filters that are attached to a specific interface by including the interface number.

Syntax: list interface

Example: list interface

Listing Interface Information
Interface   Attached Profiles
--------------------------------
1           firewall1
2           firewall2

Listing Filters Attached to Interface 1

Name                 Dir  Address            Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
firewall1.webin      In   da=1.1.1.1         dp=HTTP(80)   TCP  Pass   Off
firewall1.webout     Out  sa=1.1.1.1         sp=HTTP(80)   TCP  Pass   Off


Listing Filters Attached to Interface 2

Name                 Dir  Address            Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
firewall2.icout      Out                     sp=transient  TCP  Pass   Off
firewall2.icout.resp  In  sa=destination     sp=dport      TCP  Pass   300
                          da=source          dp=sport

Example: list interface 2

Listing Interface Information
Interface   Attached Profiles
--------------------------------
2           firewall2
Listing Filters Attached to Interface 2

Name                 Dir  Address            Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
firewall2.icout      Out                     sp=transient  TCP  Pass   Off
firewall2.icout.resp  In  sa=destination     sp=dport      TCP  Pass   300
                          da=source          dp=sport

List Profile [C] [M]

Displays a list of all profiles and their properties or a specific profile and its properties.

Syntax: list profile

Example: list profile

Listing Profiles
  Firewall exp=Off idle=60 keepalive=Off
  NoSpoof exp=Off idle=Off keepalive=On

Example: list profile InternalClient

Listing Profiles
  InternalClient exp=Off idle=1200 keepalive=On

Rename Filter [C] [M]

Changes the name of a filter. You cannot change a parent filter's name.

Syntax: rename filter oldname newname

Example: rename filter Firewall.Client_In Client_Out

Rename Profile [C] [M]

Changes the name of a profile.

Syntax: rename profile oldname newname

Example: rename profile Client_In Client_Out

Revert [M]

This command removes dynamic filters and profiles from the running system and restarts the filtering system.

If you make configuration changes at the IP Filter> prompt, this command restores the saved configuration.

Syntax: revert

Example: revert

Save [M]

Saves changes you make at the IP Filter> prompt to permanent memory so they are still present after you restart the router.

Syntax: save

Example: save

Scope [C] [M]

Reduces keystrokes when you are working on filters. The scope command causes subsequent commands to apply to the profile or filter on which you are working.

Normally, when you are working on a filter, you have to type the complete name of each filter, beginning with the profile name. The scope command keeps you from having to retype the profile or parent filter name.

Note the repetitious typing in the following example:

IP Filters Config>add filter firewall.tftpc
IP Filters Config>add filter firewall.tftpc.response
IP Filters Config>set filter firewall.tftpc.response dir=in dest=source source=da
IP Filters Config>set filter firewall.tftpc.response protocol = tcp dport=sp sport=transient
IP Filters Config>set filter firewall.tftpc.response delete=on idle=30

Using the example above, scope the profile firewall and the filter tftpc and enter commands that apply to that filter. Enter unscope to stop applying commands to the profile and enter unscope again to stop applying commands to the filter. Note that when a scope is active, its name appears in the command prompt.

IP Filters Config>scope firewall
IP Filters Config firewall>add filter tftpc
IP Filters Config firewall>scope tftpc
IP Filters Config firewall.tftpc>add filter response
IP Filters Config firewall.tftpc>set filter response dir=in dest=source source=da
IP Filters Config firewall.tftpc>set filter response protocol = tcp dport=sp sport=transient
IP Filters Config firewall.tftpc>set filter response delete=on idle=30
IP Filters Config firewall.tftpc>unscope
IP Filters Config firewall>unscope
IP Filters Config>

Syntax: scope profilename or filtername

Example: scope firewall

IP Filters Config firewall>

Set Filter [C] [M]

Sets or modifies parameters of a filter that you previously created. See the add filter command for available options.

You can assign parameters in separate set filter entries. Use the scope command to apply each command to the profile or parent filter without repeatedly entering the profile and/or parent filter name.

Syntax: set filter profilename.filtername option(s)

Example: set filter tftp.client dir=in protocol=udp sport=transient

Set Interface [C] [M]

Statically attaches one or more profiles to an interface. You can also remove a profile from an interface.

Profile expiration and idle timeout options do not apply to static profiles that you attach to interfaces.

Enter . . . To . . .

profile= Replace profiles that are already attached to the interface.

profile+= Attach additional profile or list of profiles to the interface. The new profile names go to the end of the list.

profile-= Detach profiles or list of profiles from an interface. The remaining profile names remain where they are, and the list closes up the empty spaces.

Enter . . .	To . . .
profile=	Replace profiles that are already attached to the interface.
profile+=	Attach additional profile or list of profiles to the interface. The new profile names go to the end of the list.
profile-=	Detach profiles or list of profiles from an interface. The remaining profile names remain where they are, and the list closes up the empty spaces.

Syntax: set interface interface# profiles=profilenames

Example: set interface 2 profiles=a,b,c,d

This example attaches profiles a, b, c, and d to interface 2.

Example: set interface 2 profiles+=a,x,c

This example adds profiles a, x, and c to the end of the list of profiles attached to this interface. It replaces old entries that are duplicates of the new entries. The previous list a,b,c,d now becomes list b,d,a,x,c.

Example: set interface 2 profiles-=c,a

This example removes profiles c and a, and results in the list b,d,x.

Set Profile [C] [M]

Sets or modifies parameters of a profile that you previously created using the add profile command.

The same options are available for both the add profile command and the set profile command. For information on the options, see the add profile command.

Syntax: set profile profilename option(s)

Example: set profile ftpclient expiration=120 expiration=on idle=320 idle=on keepalive=on

Status [M]

Shows the runtime status of installed dynamic profiles and filters.

Syntax: status

Example: status

Listing Dynamic/Authentication Profile Status
Interface/Name   User      Address        Up     Expires Idle   Timer Keep
                                          Time                       Alive
--------------------------------------------------------------------------- 
1/webaccess      mel       162.2.0.2     793683  Off     793683  Off    Off

Listing Dynamic Filter Status

Interface/Name           Dir      Address       Port      Protocol    Idle
                                                               Action
--------------------------------------------------------------------------- 
1/elsauth.packout.childout        sa=162.3.0.2              Any  Pass  Off
                         Out      da=162.2.0.2

Total dynamic profiles installed = 1 
Total dynamic filters installed = 1

The following is a description of the fields displayed for profiles:


Interface/Name	The interface number and name of the installed profile or filter.
User	The name of the user who is using this profile.
Address	The IP address of the user.
Up Time	The number of seconds since the software installed the profile.
Expires	The current setting of the expiration timer.
Idle	The number of seconds since the profile recognized a packet.
Timer	The current setting of the idle timer.
Keepalive	Shows whether the keepalive option is on or off.

The following is a description of the fields displayed for filters:

Dir

The direction of the filter.

Address

Source and destination address of the child filter. It shows any addresses that the parent filter filled in.

Port

Source and destination ports of the child filter. It shows any ports that the parent filter filled in.

Protocol

The protocol set for the filter.

Idle

The current setting of the idle timer.

Action

The action set for the filter.

Unscope [C] [M]

Returns the command line to the previous scope. See the scope command for more information.

Syntax: unscope

Example: IP Filter Config firewall>unscope

               IP Filter Config>

Exit [C] [M]

Returns to the IP> or IP Config> prompt.

Syntax: exit

Example: exit

[Top] [Prev] [Next] [Bottom]

Dir	The direction of the filter.
Address	Source and destination address of the child filter. It shows any addresses that the parent filter filled in.
Port	Source and destination ports of the child filter. It shows any ports that the parent filter filled in.
Protocol	The protocol set for the filter.
Idle	The current setting of the idle timer.
Action	The action set for the filter.