			Filters

94/3/8, last modified 95/01/24

This example is for a hardwired network interface on port S1; if you
use dial on demand you should add the filter to the appropriate
location and netuser table entries (e.g.  for location internet and
netuser internet you would do "set internet ifilter internet.in" and
"set user internet ifilter internet.in" after doing the following
commands).

In this example we'll use the fictional domain example.com using the
class C network 192.9.200.0, with a ftp server at ftp.example.com, a
nameserver at ns.example.com, the IRX itself as gw.example.com with the
service provider's router as gw.isp.net.  192.9.200.0 should be
replaced by your own network number and all the hostnames should be
replaced by the real hostnames or IP addresses.

add filter internet.in

set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0 
set filter internet.in 2 permit tcp estab
set filter internet.in 3 permit udp dst eq 53
set filter internet.in 4 permit tcp dst eq 53
set filter internet.in 5 permit tcp dst eq 25
set filter internet.in 6 permit icmp
set filter internet.in 7 permit 0.0.0.0/0 ftp.example.com/32 tcp dst eq 21
set filter internet.in 8 permit tcp src eq 20 dst gt 1023

set s1 ifilter internet.in
save all
reset s1

1. Block any incoming packets claiming to be from your own network
2. Allow any outgoing TCP connections
3. Allow Domain Name service queries both ways
4. Allow Domain Name service zone transfers
5. Allow mail both ways
6. Allow ICMP (ping) both ways
7. Allow anyone to FTP to our FTP host
8. Allow us to FTP things from the Internet (this is potentially risky)

If your Domain Name Server is on the outside of your local net, you
need to add a line like this:
set filter internet.in 9 permit udp src eq 53
and you may then want to add an output filter like

add filter internet.out
set filter internet.out 1 deny 0.0.0.0/0 192.9.200.0/24
set filter internet.out 2 permit ns.example.com/32 0.0.0.0/0 tcp  
set filter internet.out 3 permit ns.example.com/32 0.0.0.0/0 udp src eq 53  
set filter internet.out 4 permit ns.example.com/32 0.0.0.0/0 udp dst eq 53
set filter internet.out 5 permit gw.example.com/32 gw.isp.net/32 udp dst eq 520
set filter internet.out 6 permit icmp
set s1 ofilter internet.out
save all
reset s1

If you want to listen for RIP information you should add:
set filter internet.in 10 permit gw.isp.net/32 gw.example.com/32 udp dst eq 520

If you want to allow auth (RFC 931) queries in (which some mailers
and FTP servers use) you need to add a line like this:
set filter internet.in 10 permit tcp dst eq 113

The rules are applied in the order given, and you can either permit
or deny.  Anything not permitted is denied at the end.

For greater security you should further limit which hosts can do what,
e.g. limit DNS and SMTP interchange with the internet to a single
well-secured host of yours, and have your internal hosts refer to that
host.

You can specify hosts as IP addresses or as names.  You can specify
subnets too; for example if we wanted to allow one subnet to have
complete access to our network, we could add a rule to internet.in
like:

permit 192.187.195.0/24 192.9.200.0/24

In Release 3.0 you can route and filter IPX as well, and outgoing SAP.

You can set filters on incoming packets and/or outgoing packets on each
port (or ethernet).  Filtering incoming packets is safer than filtering
outgoing packets, because 1) you know which interface that packet is
coming in on, and 2) you can protect the router itself with the filter.
Other vendors' routers that only allow filtering outgoing packets are
vulnerable to attack on the router itself.

EXAMPLE TWO

Here's a basic firewall filter for use with a bastion host and a
IRX-111 connected to the internet on port S1.

This example is for a hardwired network interface on port S1; if you
use dial on demand you should add the filter to the appropriate
location and netuser table entries (e.g.  for location internet and
netuser internet you would do "set internet ifilter internet.in" and
"set user internet ifilter internet.in" after doing the following
commands).

This example allows any kind of outgoing connection from the bastion
host, blocks all incoming traffic to any host but the bastion, and
allows the following incoming traffic to the bastion: SMTP, NNTP, DNS,
FTP, ICMP.  Note that unless you have the latest versions of ftpd and
sendmail you may be vulnerable to attacks through those ports.

The name bastion below should be replaced by the IP address or
hostname of the bastion host.

add filter internet.in

set filter internet.in 1 deny 192.9.200.0/24 0.0.0.0/0 
set filter internet.in 2 permit 0.0.0.0/0 bastion/32 tcp estab
set filter internet.in 3 permit 0.0.0.0/0 bastion/32 tcp dst eq 21
set filter internet.in 4 permit 0.0.0.0/0 bastion/32 tcp src eq 20 dst gt 1023
set filter internet.in 5 permit 0.0.0.0/0 bastion/32 tcp dst eq 119
set filter internet.in 6 permit 0.0.0.0/0 bastion/32 tcp dst eq 25
set filter internet.in 7 permit 0.0.0.0/0 bastion/32 udp dst eq 53
set filter internet.in 8 permit 0.0.0.0/0 bastion/32 tcp dst eq 53

set s1 ifilter internet.in
save all
reset s1

1. Block any incoming packets claiming to be from your own network
2. Allow any established TCP connections back into the bastion (you may want
	to limit this further by putting deny commands ahead of it)
3. Allow anyone to FTP to the bastion
4. Allow bastion to FTP things from the Internet (this is potentially risky)
5. Allow incoming news (NNTP) to the bastion
6. Allow incoming mail (SMTP) to the bastion
7. Allow Domain Name service queries to the bastion
8. Allow Domain Name service zone transfers from the bastion to others

The rules are applied in the order given, and you can either permit
or deny.  Anything not permitted is denied at the end.


If you have any other questions we'd be glad to answer them, send
email to support@livingston.com

