You are on page 1of 22

Introduction to IP packet filtering

HUAWEI

For any packet a router needs to transfer, first obtain its packet header information and then compare it with the set rules.Whether to transfer or to discard a packet depends on the comparison results.The key technology to implement packet filtering is access control list.

OK
WAN

Rule database

www.huawei.com

Why is access control list needed?
HUAWEI

Refuse some undesired access. Access control list can distinguish packets.
Intranet

Internet
Agency
Headquarters of a company

Internal server

Unauthorized  users

www.huawei.com

HUAWEI Another use of access control list Specify what packets can use trigger dial-up Ensure that "these packets" implement "these services" Specify what packets can use trigger dial-up PSTN Router Router Agency www.huawei.com .

huawei.What is access control list? HUAWEI An IP packet is shown as below (the upper-layer protocol that IP bears in the figure is TCP): IPh e a d e r T C Ph e a d e r Data Protocol number Source address Destination address Source port Destination port Access control list uses the rules defined by these elements.com . www.

How to identify access control list? HUAWEI Identify access control list in numbers Identify the kinds of access control list by means of a number range.com .huawei. Rangeforanumberto identify 1-99 100-199 Kinds of list IP standard list IP extended list www.

w h e n u s e d i n c o m b ination with an IP address. can describe an address range.huawei.How to use wildcard-mask HUAWEI W ildcard-m ask is sim ilar to a subnet-m ask. but is written differently: 0 means that comparison is needed 1 means that comparison is ignored W ildcard-m a s k .com . 0 0 255 0 0 255 0 255 255 255 255 0 only the first 24 bits to be compared only the first 16 bits to be compared only the latter 8 bits to be compared www.

com .110.0/24 cannot pass! Router www.110.huawei.10.0/24 can pass! Packets from 192.Standard access control list HUAWEI Standard access control list uses only the source address description to show whether to enable or to disable Packets from 202.10.

huawei.com .Standard access control list HUAWEI The command to configure standard access control lis is in the following format: access-list [normal|special] listnumber { permit | deny } ip-address [ wildcard-mask ] www.

com .huawei. Packets from 202.100.Extended access control list HUAWEI E x t ended ac cess cont rol l i st u s es m or e information description packets besides source address to show whether to enable or to disable.0/24 to 179.17.110.10 which use TCP protocols and gain access via HTTP can pass! Router www.10.

huawei.a d d r [ d e s t .com .HUAWEI Configuration commands of extended access control list C o n figuretheextendedaccesslistofTC P /UDPprotocols: access-list [norm a l|special]listnum b e r{perm it | d e n y }{tcp|udp} source-addr[source-mask] dest-addr [dest-mask][operator port1 [port2] ] [log] C o n figuretheextendedaccesslist of IC M Pp rotocol: access-list [norm a l|special]listnum b e r{perm it | d e n y } icm psource-addr[source-mask]dest-addr dest-mask [ icm p -type[icm p -code] ] [log] C o n figuretheextendedaccesslistofotherprotocols: access-list [ norm al | special ] listnumber { p e r m it | deny } protocol source-addr [ source-mask ] d e s t .m a s k ] [log] www.

com .HUAWEI The meaning of operate in extended access control list Operationalcharacter a n ds y n t a x eg portnumber gt portnum b e r lt portnum b e r neg portnumber range portnumber1 portnumber2 M e a n i n g Equaltoportnumber Morethanportnumber Lessthanportnumber Notequaltoportnumber Betweenportnumber1and portnumber2 www.huawei.

0 andtheUDP (portnumbermorethan128)ofthehostwithinthenetworksegment202.0.38. Andanyeventviolatingthisrulewil berecordedinalog.0.0 isdisabled.9. 102denyudp129.160.255.0 is disabled.160.0aredisabled topass 100denytcp129.0.1.00.0.9.38.9.0.38.0 0.255.0.255gt128 Theruleserialnumberis102.0.0.0 0.9.160.255anyhost-redirect TheICMPhostunreachablepacketsfromthenetworksegment10.Theconnectionbetweenthehostwithinthenetworksegment129.Examples of extended access control list HUAWEI 1 0 0d e n yicm p1 0 .0 andthewwwport(80)ofthehostwithinthenetworksegment202.0 0.255 202.38.1.160.Theconnectionbetweenthehostwithinthenetworksegment129.0.com .huawei.0 0.0.0.255eqwwwlog Theruleserialnumberis100.8. www.255 202.8.0.

38.0.com .160.HUAWEI Combination of multiple rules Access list may be composed of multiple rules Multiple rules use the same serial number The basis to judge a conflicted rule is "depth".38.255.255 T h e c o m b ining of two rules m e a n s d i s a b l i n g t h e a c c e s s o f t h e h o s t s w i t h i n a l a r g e n e t w o r k s e g m ent (202.0.0).160. but enabling that of a sm all num b e r o f hosts (202.0 0.huawei. The judging of a depth depends on the combined comparison of wildcard-mask with an IP address access-list 4 deny 202.38. That is.1 0.38. the smaller the address range is. the higher priority it will be.0.0). www.255 access-list 4 perm it 202.0.0.

com .How to validate access control list? HUAWEI Use the serial number of access control list Apply access control list to an interface Identify whether it is O U Td irectionorINdirectionatthe interface The access control list 101 applies to the interface Ethernet0 and is effective in out direction The access control list 3 applies to the interface Serial0 and is effective in in direction  Ethernet0 Serial0 www.huawei.

com .HUAWEI Basic configuration task of access control list The following steps are basically necessary to configure access control list: Enable/disableafirewall(thedefaultvalueofQ u idwayseriesroutersistodisablethefirewall function) D e fineaccesscontrollist(standardorextended) Applyaccesscontrollisttoaninterface The following applications can be extended as required: Set the default filtering m ode of a firew a ll Enable/disable the filtering of a tim es e g m e n t Set special tim es e g m e n t Specifyaloghost D isplaytheconfigurationstatus www.huawei.

HUAWEI Attribute configuration commands of firewall Firewall command firewall { enable | disable } Firewall default command firewall default { permit|deny } Show firewall command show firewall www.com .huawei.

Packet filtering based on time segment HUAWEI "Special rules for special time segments" W A N During working hours (8:00 a.m.huawei.5:00p.-. Other sites can be accessed during other time. only special sites can be accessed.com . Rules database based on time segment www.m.).

.... ] no settr show isintr command show isintr show timerange command show timerange www.com .huawei.Configuration commands of time segment HUAWEI timerange command timerange { enable|disable } [no] settr command settr begin-time end-time [ begin-time end-time ..

www.com . please refer to corresponding configuration manual.Configuration commands of log function HUAWEI Log function is to enable any firewall operation to be recorded on a special host: logging on is used to start a log system logging host is used to configure relevant attributes such as log host address and so on show logging is used to display log configuration information There are abundant log functions.huawei. For details.

Networking diagram HUAWEI 129.38.1.1 129.38.1.2 129.38.1.3 F T Pserver 服 务 器 Telnet T e l n e server t 服 务 器 WWW WWW服 务器 server FTP 129.38.1.4 R 公司内部 以太网 Company Intranet 129.38.1.5 内部 特 定 P PC C Internal specified 202.38.160.1 R 广域网 WAN 外部 特定用 户 External specified user www.com .huawei.

huawei.Configuration steps HUAWEI There are the following steps in actual applications: Enable/disable a firewall (the default value of Quidway series routers is to disable the firewall function) Define an extended access control list Apply an access control list to an interface www.com .

com . Quote an access control list at a port to implement firewall function www.Key points in this chapter HUAWEI Principles of packet filtering.huawei. Configuration principles of an extended access list. Configuration principles of a standard access list.