Let's think, we have the following network:
-------------------------------------------
|-10001(dialup1)
________ _________ | _________ ________
| | | || | | | |
| HOST A |o-- LANA --o| BRICK A |o-- ISDN --o| BRICK B |o-- LANB
--o| HOST B |
|________|| | ||_________| |_________|| | ||________|
| | | | | |
200.0.0.5-| | |-200.0.0.1(en1) 199.0.0.1(en1)-| | |-199.0.0.8
| |
|-200.0.0.0 |-199.0.0.0
________ |
| | |
| HOST C |o----|
|________||
|
200.0.0.7-|
Let's think about the following restrictions at BRICK A:
--------------------------------------------------------
1. ALLOW only HOST A access via telnet to the BRICK A (via
interface en1)
All other services are denied!
-> ipAllowTable
inx ProtocolMode(*-rw) Protocol(rw) SrcIfIndexMode(*rw)
SrcIfIndex(rw) SrcAddr(rw) SrcMask(rw)
SrcPortMode(rw) SrcPort(rw) DstAddr(rw)
DstMask(rw) DstPortMode(rw) DstPort(rw)
00 verify tcp verify
1000(en1) 200.0.0.5 255.255.255.255
ignore 0 200.0.0.1
255.255.255.255 specific 23
ProtocolMode=verify & Protocol=tcp
-> Protocol is checked (here: only tcp packets are allowed)
SrcIfIndexMode=verify & SrcIfIndex=en1
-> only packets are filtered, which arrives at interface en1
SrcAddr=200.0.0.5 & SrcMask=255.255.255.255
-> only packets from HOST 200.0.0.5 are allowed
SrcPortMode=ignore & SrcPort=0
-> no source port is filtered -> any source port is allowed
DstAddr=200.0.0.1 & DstMask=255.255.255.255
-> only packets to HOST 200.0.0.1 are allowed
DstPortMode=specific & DstPort=23
-> only packets with the destination port 23 (telnet port) are
allowed
2. If you would only have the above entry, only telnet from HOST
A to BRICK A
would work, and only in this direction. If you want to allow all
services to
HOSTs in LANA (from the right side of BRICK A) you have to allow
client ports
coming through interface en1 on BRICK A and you have to allow all
packets,
coming in through interface 10001(dialup1) (see below):
01 dont_verify icmp dont_verify
0 0.0.0.0 0.0.0.0
ignore 0 0.0.0.0
0.0.0.0 clients 0
ProtocolMode=dont_verify & Protocol=icmp
-> the protocol is not checked, so any protocol is allowed,
icmp is the
default entry, you could also specify any other allowed value.
SrcIfIndexMode=dont_verify & SrcIfIndex=0
-> packets via all interfaces are allowed
..
DstPortMode=clients & DstPort=0
-> all packets are allowed with client ports as destination
If you make no further entry in the ipAllowTable all packets
coming from
the Dialup-Interface 10001 of BRICK A would be filtered, because
at the end
of the ipAllowTable there is an implicit "deny all packets
from all interfaces,
which are not explicitly allowed in this table". So we will
make another
entry for not filtering packets, coming in through interface
10001:
03 dont_verify icmp verify
10001(dialup1) 0.0.0.0 0.0.0.0
ignore 0 0.0.0.0
0.0.0.0 ignore 0
A further explanation:
----------------------
If are logged in HOST B, and you call: telnet 200.0.0.5 the
following packets
would be transferred:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| + Protocol tcp + |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address 199.0.0.8 |
HOST B
-->->--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+->->-
HOST A
199.0.0.8 | Destination Address 200.0.0.5 | 200.0.0.5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port 1024 + Destination Port 23 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| + Protocol tcp + |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address 200.0.0.5 |
HOST B
--<-<--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-<-<-
HOST A
199.0.0.8 | Destination Address 199.0.0.8 | 200.0.0.5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port 23 + Destination Port 1024|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The first kind of packets are allowed, because, we have allowed
all packets
coming in through the dialup interface (10001). (REMEMBER: Only
packets,
which are coming in through an interface could be filtered.)
The second kind of packets are only allowed, because we have
allowed CLIENTS
coming in through interface en1.
FAQ-Indexseite