Filtering IPX Traffic

This is a short guide how to filter IPX packets at the Brick

 

  1. To find out, which paket types cause the Brick to establish dial outs, connect to the Brick serial or telnet and at its prompt type
    trace -N next when the connection is dormant.
  2. When a packet arrives at the Brick and the dialout starts, you will see information like this:

    > 000862.030 X #00000026 DATA[0048]

    > checksum: ffff

    > packet length: 47

    > transport control: 2

    > packet type: NCP

    > destination network: 0:0:0:60

    > destination node: 0:0:0:0:0:1

    > destination socket: NCP

    > source network: 36:7:c3:ec

    > source node: 0:0:0:0:0:1

    > source socket: unknown 0x63ab

    > NCP request from workstation

    > sequence number: 0x74

    > task number : 0x1

    > connection nr. : 0x3

  3. Take a look at the Bricks ipxdenytable typing
    ipxdenytable :

    inx PktTypeMode(*-rw) PktType(rw) DstIfStatus(rw)  
      DstNetMode(rw) DstNet(rw) DstNodeMode(rw)  
      DstNode(rw) DstSockMode(rw) DstSock(rw)  
      SrcIfIndexMode(*rw) SrcIfIndex(rw) SrcNetMode(rw)  
      SrcNet(rw) SrcNodeMode(rw) SrcNode(rw)  
      SrcSockMode(rw) SrcSock(rw)  

     

  4. To configure the filter at the Brick, you should use the following command:
    pkttypemode=verify pkttype=ncp dstifstatus=dont_verify dstnetmode=verify dstnet=96 dstnodemode=verify dstnode=0:0:0:0:0:1 dstsockmode=verify dstsock=1105 srcifindexmode=dont_verify srcnetmode=verify srcnet=906478572 srcnodemode=verify srcnode=0:0:0:0:0:1 srcsockmode=verify srcsock=25515
  5. If you redisplay the ipxdenytable there should be this entry:
    inx PktTypeMode(*-rw) PktType(rw) DstIfStatus(rw)  
      DstNetMode(rw) DstNet(rw) DstNodeMode(rw)  
      DstNode(rw) DstSockMode(rw) DstSock(rw)  
      SrcIfIndexMode(*rw) SrcIfIndex(rw) SrcNetMode(rw)  
      SrcNet(rw) SrcNodeMode(rw) SrcNode(rw)  
      SrcSockMode(rw) SrcSock(rw)    
             
    01 verify ncp dont_verify  
      verify 96 verify  
      0:0:0:0:0:1 verify 1105  
      dont_verify 0 verify  
      906478572 verify 0:0:0:0:0:1  
      verify 25515    
       

    You can also specify the interfacenumber where the packets should be filtered coming from, otherwise they will be filtered no matter from which source they origin. Setting the dstifstatus to dormant, packets will only be filtered, when the status of the destination interface is dormant and won't be filtered, when the interface is e.g. in status up mode.

  6. ATTENTON: socket, network and node has to be converted from the tracers hexadecimal form into a decimal integer value or the filter won't work, e.g. the source network number in the tracer is 36:7:c3:ec but in the command you have to set 906478572 as hexadecimal 36:7:c3:ec equals decimal 906478572

Please have a look at the following FAQs: