[Top] [Table Of Contents] [Prev] [Next] [Index]
This chapter describes how to use the command line interface to create, edit, and delete filters. Detailed command definitions follow a command summary table.
System administrators can use the command line interface to create appropriate packet filters to control access to specific hosts, networks, and network services.
Once a filter is defined, it can be used with the ptrace command, or attached to an Ethernet interface, network hardwired port, user, or location. If used for route propagation, the filter is assigned to a specified protocol. Filters for network hardwired ports and Ethernet interfaces are set for the port or interface. Filters for dial-in users are set in the user table, or can be referenced by RADIUS. Filters for dial-out locations are set in the location table.
For more information about designing packet filters, refer to the PortMaster Configuration Guide.
To display information about your filters, use the following filter-specific commands:
The commands in Table 15-1 configure the filter table. Filters can be applied to Ethernet interfaces, users, locations, network hardwired ports, or protocols, and can be used for debugging with the ptrace command.
Note ¯ 
The commands should be entered on one line, without any breaks. Line breaks shown here are due to the limited space available.
The following commands create, delete, and modify, and display filters.
Note ¯ 
If a filter rule is set with no arguments, the rule is removed. If a filter rule is set with arguments without specifying permit or deny, permit is chosen by default.
add filter
This command creates a new filter name and adds it to the filter table.
add filter Filtername
If the filter is to be used by RADIUS, it must end in .in if it is an input filter and .out if it is an output filter. Consider using the same convention to distinguish all input and output filters.
Command> add filter s1.in
New Filter successfully added
delete filter
This command deletes an existing filter from the filter table.
delete filter Filtername
Use caution when removing filters from the filter table. Make sure that they are no longer needed for any packet filtering.
Command> delete filter s1.in
ComOS provides no automatic response to this command, but you can use the show table filter command to confirm that the filter has been removed from the filter table.
add filter - page 15-4
show table filter- page 15-26
save filter
This command writes any changes in the filter table to the nonvolatile RAM of the PortMaster.
save filter
The save all command can also be used.
Command> save filter
Filter table successfully saved
New configurations successfully saved.
set filter (IP)
These commands configure a filter that controls passage of a packet through an interface.
Note ¯ 
Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] [esp|ah|ipip|ospf] [log] [notify]
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] [protocol Number] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM [esp|ah|ospf] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM [protocol Number] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName [esp|ah|ipip] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName [protocol Number][log] [notify]
You construct filters by first creating the filter using the command add filter, and then adding rules that permit or deny packets that match the criteria in the rules. You can update an existing filter by setting additional rules with new rule numbers and new filter criteria, or you can edit the existing rules.
You can delete a rule by specifying only the rule number-for example set filter s0.in 4. You cannot use the command line interface to insert a rule between other rules, although you can do so with the PMVision GUI.
Zero-length filters are treated as permit filters. That is, if a filter has no rules at all it permits everything through. If a filter has one or more rules, anything not explicitly permitted by a rule is denied at the end of the filter.
Note ¯ 
Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set filter w1.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Filter w1.in updated
add filter - page 15-4
set choicenet - page 3-29
set loghost - page 3-10
set filter (TCP)
These commands set filtering rules for TCP packets.
Note ¯ 
Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] tcp [src eq|lt|gt Tport]
[dst eq|lt|gt Tport] [established] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM tcp [src eq|lt|gt Tport]
[dst eq|lt|gt Tport] [established] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName tcp [src eq|lt|gt Tport]
[dst eq|lt|gt Tport] [established] [log] [notify]
|
Filtername
|
Name of an existing filter that is in the filter table.
|
|
RuleNumber
|
Filter rule number-between 1 and 256 for the PortMaster 3 and IRX, and between 1 and 100 for other PortMaster products.
|
|
permit
|
Permits a packet that matches the filter to pass through the interface. This is the default.
|
|
deny
|
Stops a packet that matches the filter from passing through the interface. The packet is dropped, and an ICMP "Host Unreachable" message is sent to the source address.
|
|
Ipaddress
|
IP address expressed in dotted decimal notation or as a hostname, to compare with the source IP address of the packet.
|
|
/NM
|
Netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 can be used; common mask values are
/0-To match all packets with any address.
/16-Looks at high-order 16 bits of the address.
/24-Looks at high-order 24 bits of the address.
/32-Looks at the entire IP address.
|
|
Ipaddress(dest)
|
An IP address expressed in dotted decimal notation or as a hostname, to compare with the destination IP address of the packet.
|
|
src
|
Specifies that the packet source port number be tested; see "Usage" for test criteria.
|
|
eq, lt, or gt
|
Mode of comparison of port numbers; equal to (eq), less than (lt), or greater than (gt).
|
|
Tport
|
Number of the designated TCP port. See Table 15-2 for a list of the port numbers 20 through 1647 commonly assigned to TCP and UDP services.
|
|
dst
|
Specifies that the packet destination port number be tested; see "Usage" for test criteria.
|
|
established
|
Accepts only packets being sent to an established TCP network connection, and denies packets sent to establish new TCP connections.
|
|
log
|
Packets matching the rule are logged by syslog to the loghost.
|
|
notify
|
Packets matching the rule are logged by syslog to the source of the packet. If you have the ChoiceNet notifier installed, this keyword is used to cause a notification pop-up to appear on your computer.
|
|
=ListName
|
Specifies a list of source or destination sites in the /etc/choicenet/lists directory on the ChoiceNet server. The equal sign (=) must immediately precede the value.
|
The filtering rules are based on source and destination port numbers, and the established state of a connection.
The order of rules in a filter is important because the PortMaster evaluates the rules in the order that they are numbered. Refer to the PortMaster Configuration Guide for more information.
The src and dst keywords allow you to test the source or destination port number in the packet to determine whether it does the following:
Note ¯ 
Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set filter w1.in 1 deny 192.168.1.0/24 0.0.0.0./0 log
Filter w1.in updated
Command> set filter w1.in 2 permit tcp estab
Filter w1.in updated
Command> set filter w1.in 3 permit tcp dst eq 80
Filter w1.in updated
Command> set filter w1.in 4 permit tcp dst eq 25
Filter w1.in updated
At any point, you can see the updates made to the filter by using the following command (shown with response):
Command> show filter w1.in
1 deny 192.168.1.0/24 0.0.0.0/0 ip log
2 permit 0.0.0.0/0 0.0.0.0/0 tcp estab
3 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 80
4 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 25
add filter - page 15-4
set loghost - page 3-10
set filter (UDP)
This command sets filtering rules for User Datagram Protocol (UDP) packets.
Note ¯ 
Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] udp [src eq|lt|gt Uport]
[dst eq|lt|gt Uport] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM udp [src eq|lt|gt Uport]
[dst eq|lt|gt Uport] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName udp [src eq|lt|gt Uport]
[dst eq|lt|gt Uport] [log] [notify]
The filtering rules are very similar to those used for TCP packets, except that there is no established keyword for UDP. The order of rules in a filter is important because the PortMaster evaluates the rules in the order that they are numbered. Refer to the PortMaster Configuration Guide for more information.
The src and dst keywords allow you to test the source or destination port number in the packet to determine whether it does the following:
Note ¯ 
Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set filter w1.in 5 permit udp src eq 53
Filter w1.in updated
Command> set filter w1.in 6 permit udp dst eq 53
Filter w1.in updated
add filter - page 15-4
set loghost - page 3-10
set filter (ICMP)
These commands set filtering rules for Internet Control Message Protocol (ICMP) packets.
Note ¯ 
Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
Note ¯ 
Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] icmp [type Itype] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM icmp [type Itype] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName icmp [type Itype] [log] [notify]
Command> set filter w1.in 1 permit icmp
Filter w1.in updated
add filter - page 15-4
set loghost - page 3-10
set ipxfilter
This command sets filtering rules for IPX packets.
Note ¯ 
Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set ipxfilter Filtername RuleNumber permit|deny
[srcnet Ipxnetwork] [srchost Ipxnode] [srcsocket eq|gt|lt Ipxsock]
[dstnet Ipxnetwork] [dsthost Ipxnode] [dstsocket eq|gt|lt Ipxsock]
|
Filtername
|
Name of an existing filter that is in the filter table.
|
|
RuleNumber
|
Filter rule number-between 1 and 256 for the PortMaster 3 and IRX, and between 1 and 100 for other PortMaster products.
|
|
permit
|
Permits a packet that matches the filter to pass through the interface. This is the default
|
|
deny
|
Stops a packet that matches the filter from passing through the interface.
|
|
srcnet
|
Specifies the comparison with the source IPX network number contained in the packet, a 32-bit hexadecimal value
|
|
Ipxnetwork
|
IPX network number, a 32-bit hexadecimal value.
|
|
srchost
|
Specifies the comparison with the source IPX node address contained in the packet, a 48-bit hexadecimal value-usually the MAC address of the host.
|
|
Ipxnode
|
IPX node address, a 48-bit hexadecimal value-usually the MAC address of the host.
|
|
srcsocket
|
Specifies that the source IPX socket number contained in the packet must be compared with the IPX socket number specified in the filter. A second keyword-eq, lt, or gt-must be used to indicate the mode of comparison, an integer from 0 to 65535.
|
|
eq, lt, or gt
|
Mode of comparison of socket numbers; equal (eq), less than (lt), or greater than (gt).
|
|
Ipxsock
|
A socket number specified for the comparison, an integer from 1 to 65535.
|
|
dstnet
|
Specifies the comparison with the destination IPX network number contained in the packet. A 32-bit hexadecimal number.
|
|
dsthost
|
Specifies the comparison with the destination IPX node address contained in the packet. A 32-bit hexadecimal number.
|
|
dstsocket
|
Specifies that the destination IPX socket number contained in the packet must be compared with the IPX socket number specified in the filter. A second keyword-eq, lt, or gt-must be used to indicate the mode of comparison, an integer from 0 to 65535.
|
The filtering rules are based on source or destination host, network, or socket.
The eq, gt and lt keywords allow you to test the source or destination socket number in the packet to determine whether it does the following:
Note ¯ 
Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set ipxfilter e0.in 1 permit dstnet OXC009C901
Filter e0.in updated
Command> set ipxfilter e0.in 2 permit srcnet OXC009C905
Filter e0.in updated
Command> set ipxfilter e0.in 3 permit srchost OXA0B1C2D3
Filter e0.in updated
Command> set ipxfilter e0.in 4 permit dsthost OXA1B2C3D4
Filter e0.in updated
Command> set ipxfilter e0.in 5 deny dstsocket eq 451
Filter e0.in updated
Command> set ipxfilter e0.in 6 permit srcsocket gt 455
Filter e0.in updated
Command> show ipxfilter e0.in
- IPX Rules -
1 permit dstnet C009C901
2 permit srcnet C009C905
3 permit srchost A0B1C2D3
4 permit dsthost A1B2C3D4
5 deny dstsocket eq 0451
6 permit srcsocket gt 0455
add filter - page 15-4
set sapfilter
This command sets filtering rules for IPX Service Advertising Protocol (SAP) packets.
Note ¯ 
Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set sapfilter Filtername RuleNumber permit|deny [server String]
[network Ipxnetwork] [host Ipxnode] [socket eq|gt|lt Ipxsock]
|
Filtername
|
Name of an existing filter that is in the filter table.
|
|
RuleNumber
|
Filter rule number-between 1 and 256 for the PortMaster 3 and IRX, and between 1 and 100 for other PortMaster products.
|
|
permit
|
Permits an SAP packet that matches the filter to pass through the interface. This is the default.
|
|
deny
|
Stops an SAP packet that matches the filter from passing through the interface.
|
|
server
|
Specifies the comparison with the name of the server that is advertising its service.
|
|
String
|
SAP server name.
|
|
network
|
Specifies the comparison with the server's IPX network number.
|
|
Ipxnetwork
|
IPX network number, a 32-bit hexadecimal value.
|
|
host
|
Specifies the comparison with the server's IPX node address.
|
|
Ipxnode
|
IPX node address, a 48-bit hexadecimal value-usually the MAC address of the host.
|
|
socket
|
Specifies that the server's IPX socket number must be compared with the IPX socket number specified in the filter. A second keyword-eq, lt, or gt-must be used to indicate the mode of comparison.
|
|
eq, lt, or gt
|
Mode of comparison of socket numbers; equal (eq), less than (lt), or greater than (gt).
|
|
Ipxsock
|
Socket number specified for the comparison, an integer from 1 to 65535.
|
The filtering rules are based on server, network, host, or socket. SAP packets can be filtered only on output, not on input. Sap filter rules used as inbound packet filters are ignored.
The eq, gt and lt keywords allow you to test the destination socket number in the packet to determine whether it does the following:
Note ¯ 
Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set sapfilter e0.out 1 permit network C009C901
Filter e0.out updated
Command> set sapfilter e0.out 2 permit host A0B1C2D3E4F5
Filter e0.out updated
Command> set sapfilter e0.out 3 deny socket eq 452
Filter e0.out updated
Command> show sapfilter e0.out
1 permit network C009C901
2 permit host A0B1C2D3E4F5
3 deny socket eq 0452
add filter - page 15-4
show filter
This command shows the configuration of a specified filter.
show filter|ipxfilter|sapfilter Filtername
Command> show filter internet.in
1 deny 192.168.200.0/24 0.0.0.0/0 ip
2 permit 0.0.0.0/0 0.0.0.0/0 tcp estab
3 permit 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
4 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 53
5 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 25
6 permit 0.0.0.0/0 0.0.0.0/0 icmp
show table filter
This command shows a list of the filters in the filter table.
show table filter
show filter - page 15-25
[Top] [Table Of Contents] [Prev] [Next] [Index]
spider@livingston.com
Copyright © 1998, Lucent Technologies. All rights
reserved.
Filter names have a maximum of 15 characters. If longer names are used, they are truncated to 15 characters.