ZyXEL Router Prestige 334 User Manual

							Prestige 334 User’s Guide
Chapter 27 Filter Configuration 260
The protocol dependent filter rules abbreviation are listed as follows:
Refer to the next section for information on configuring the filter rules.
27.2.1  Configuring a Filter Rule
To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press 
[ENTER] to open menu 21.1.1.1 for the rule.
To speed up filtering, all rules in a filter set must be of the same class, i.e., protocol filters or 
generic filters. The class of a filter set is determined by the first rule that you create. When 
applying the filter sets to a port, separate menu fields are provided for protocol and device 
filter sets. If you include a protocol filter set in a device filter field or vice versa, the Prestige 
will warn you and will not allow you to save.
27.2.2  Configuring a TCP/IP Filter Rule
This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base 
the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP 
headers.
mAction Matched.
“F” means to forward the packet immediately and skip checking the remaining rules.
“D” means to drop the packet.
“N“ means to check the next rule.
nAction Not Matched
“F” means to forward the packet immediately and skip checking the remaining rules.
“D” means to drop the packet.
“N” means to check the next rule.
Table 86   Rule Abbreviations Used
ABBREVIATIONDESCRIPTION
IP
               PrProtocol
               SASource Address
               SPSource Port number
               DADestination Address
               DPDestination Port number
GEN
              OffOffset
              LenLength
Table 85   Abbreviations Used in the Filter Rules Summary Menu
FIELDDESCRIPTION 
						

							Prestige 334 User’s Guide
261 Chapter 27 Filter Configuration
To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press 
[ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next
Figure 138   Menu 21.1.1.1 TCP/IP Filter Rule.
The following table describes how to configure your TCP/IP filter rule.
   Menu 21.1.1.1 - TCP/IP Filter Rule
          Filter #: 1,1
          Filter Type= TCP/IP Filter Rule
          Active= Yes
          IP Protocol= 0     IP Source Route= No
          Destination: IP Addr= 0.0.0.0
                       IP Mask= 0.0.0.0
                       Port #= 137
                       Port # Comp= Equal
               Source: IP Addr= 0.0.0.0
                       IP Mask= 0.0.0.0
                       Port #=
                       Port # Comp= None
          TCP Estab= N/A
          More= No           Log= None
          Action Matched= Check Next Rule
          Action Not Matched= Check Next Rule
   Press ENTER to Confirm or ESC to Cancel:
Table 87   TCP/IP Filter Rule
FIELDDESCRIPTIONOPTIONS
ActivePress [SPACE BAR] and then [ENTER] to select Ye s to activate 
the filter rule or No to deactivate it.Ye s
No
IP ProtocolProtocol refers to the upper layer protocol, e.g., TCP is 6, UDP is 
17 and ICMP is 1. Type a value between 0 and 255. A value of 0 
matches ANY protocol.0-255
IP Source RoutePress [SPACE BAR] and then [ENTER] to select Ye s to apply 
the rule to packets with an IP source route option. Otherwise the 
packets must not have a source route option. The majority of IP 
packets do not have source route.Ye s
No
Destination
IP AddressEnter the destination IP Address of the packet you wish to filter. 
This field is ignored if it is 0.0.0.0.0.0.0.0
IP MaskEnter the IP mask to apply to the Destination: IP Addr.0.0.0.0
Port #Enter the destination port of the packets that you wish to filter. 
The range of this field is 0 to 65535. This field is ignored if it is 0.0-65535
Port # CompPress [SPACE BAR] and then [ENTER] to select the comparison 
to apply to the destination port in the packet against the value 
given in Destination: Port #.None
Less
Greater
Equal
Not Equal 
						

							Prestige 334 User’s Guide
Chapter 27 Filter Configuration 262
The following figure illustrates the logic flow of an IP filter.
Source
IP AddressEnter the source IP Address of the packet you wish to filter. This 
field is ignored if it is 0.0.0.0.0.0.0.0
IP MaskEnter the IP mask to apply to the Source: IP Addr.0.0.0.0
Port #Enter the source port of the packets that you wish to filter. The 
range of this field is 0 to 65535. This field is ignored if it is 0.0-65535
Port # CompPress [SPACE BAR] and then [ENTER] to select the comparison 
to apply to the source port in the packet against the value given 
in Source: Port #.None
Less
Greater
Equal
Not Equal
TCP EstabThis field is applicable only when the IP Protocol field is 6, TCP. 
Press [SPACE BAR] and then [ENTER] to select Ye s, to have 
the rule match packets that want to establish a TCP connection 
(SYN=1 and ACK=0); if No, it is ignored.Ye s
No
MorePress [SPACE BAR] and then [ENTER] to select Ye s  or No. If 
Ye s, a matching packet is passed to the next filter rule before an 
action is taken; if No, the packet is disposed of according to the 
action fields.
If More is Ye s, then Action Matched and Action Not Matched 
will be N/A.
Ye s
No
LogPress [SPACE BAR] and then [ENTER] to select a logging 
option from the following:
None – No packets will be logged.
Action Matched - Only packets that match the rule parameters 
will be logged.
Action Not Matched - Only packets that do not match the rule 
parameters will be logged.
Both – All packets will be logged.
None
Action 
Matched
Action Not 
Matched
Both
Action MatchedPress [SPACE BAR] and then [ENTER] to select the action for a 
matching packet.Check Next 
Rule
Forward
Drop
Action Not MatchedPress [SPACE BAR] and then [ENTER] to select the action for a 
packet not matching the rule.Check Next 
Rule
Forward
Drop
When you have Menu 21.1.1.1 - TCP/IP Filter Rule configured, press [ENTER] at the message “Press 
ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be 
displayed on Menu 21.1.1 - Filter Rules Summary.
Table 87   TCP/IP Filter Rule
FIELDDESCRIPTIONOPTIONS 
						

							Prestige 334 User’s Guide
263 Chapter 27 Filter Configuration
Figure 139   Executing an IP Filter
27.2.3  Configuring a Generic Filter Rule
 This section shows you how to configure a generic filter rule. The purpose of generic rules is 
to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX 
packet. You specify the portion of the packet to check with the Offset (from 0) and the Length 
fields, both in bytes. The Prestige applies the Mask (bit-wise ANDing) to the data portion 
before comparing the result against the Value to determine a match. The Mask and Va l u e are 
specified in hexadecimal numbers. Note that it takes two hexadecimal digits to represent a 
byte, so if the length is 4, the value in either field will take 8 digits, for example, FFFFFFFF.
To configure a generic rule, select Generic Filter Rule in the Filter Type field in menu 
21.1.4.1 and press [ENTER] to open Generic Filter Rule, as shown below. 
						

							Prestige 334 User’s Guide
Chapter 27 Filter Configuration 264
Figure 140   Menu 21.1.4.1 Generic Filter Rule
The following table describes the fields in the Generic Filter Rule menu.
   Menu 21.1.4.1 - Generic Filter Rule
         Filter #: 4,1
         Filter Type= Generic Filter Rule
         Active= No
         Offset= 0
         Length= 0
         Mask= N/A
         Value= N/A
         More= No           Log= None
         Action Matched= Check Next Rule
         Action Not Matched= Check Next Rule
   Press ENTER to Confirm or ESC to Cancel:
Table 88   Generic Filter Rule Menu Fields
FIELDDESCRIPTIONOPTIONS
Filter #This is the filter set, filter rule co-ordinates, i.e., 2,3 refers to the 
second filter set and the third rule of that set.
Filter TypeUse [SPACE BAR] and then [ENTER] to select a rule type. 
Parameters displayed below each type will be different. TCP/IP filter 
rules are used to filter IP packets while generic filter rules allow 
filtering of non-IP packets.Generic Filter 
Rule
TCP/IP Filter 
Rule
ActiveSelect Ye s to turn on the filter rule or No to turn it off.Ye s  /  N o
OffsetEnter the starting byte of the data portion in the packet that you wish 
to compare. The range for this field is from 0 to 255.0-255
LengthEnter the byte count of the data portion in the packet that you wish 
to compare. The range for this field is 0 to 8. 0-8
MaskEnter the mask (in Hexadecimal notation) to apply to the data 
portion before comparison.
Va l u eEnter the value (in Hexadecimal notation) to compare with the data 
portion.
MoreIf Ye s, a matching packet is passed to the next filter rule before an 
action is taken; else the packet is disposed of according to the 
action fields.
If More is Ye s, then Action Matched and Action Not Matched will be 
No.
Ye s
No
LogSelect the logging option from the following:
None - No packets will be logged.
Action Matched - Only packets that match the rule parameters will 
be logged.
Action Not Matched - Only packets that do not match the rule 
parameters will be logged.
Both – All packets will be logged.
None
Action Matched
Action Not 
Matched
Both 
						

							Prestige 334 User’s Guide
265 Chapter 27 Filter Configuration
27.3  Example Filter
Let’s look at an example to block outside users from accessing the Prestige via telnet. 
Figure 141   Telnet Filter Example
1Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup.
2Enter 1 to open Menu 21.1 - Filter Set Configuration.
3Enter the index of the filter set you wish to configure (say 3) and press [ENTER].
4Enter a descriptive name or comment in the Edit Comments field and press [ENTER].
5Press [ENTER] at the message  [Press ENTER to confirm] to open Menu 21.1.3 - Filter 
Rules Summary
6Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in 
this menu as shown in the following figure. 
Action 
MatchedSelect the action for a packet matching the rule.Check Next Rule
 Forward
Drop
Action Not 
MatchedSelect the action for a packet not matching the rule.Check Next Rule
Forward
Drop
Once you have completed filling in Menu 21.4.1.1 - Generic Filter Rule, press [ENTER] at the 
message “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will 
now be displayed on Menu 21.1.1 - Filter Rules Summary.
Table 88   Generic Filter Rule Menu Fields
FIELDDESCRIPTIONOPTIONS 
						

							Prestige 334 User’s Guide
Chapter 27 Filter Configuration 266
Figure 142   Example Filter: Menu 21.1.3.1
• Select Ye s from the Active field to activate this rule.
•6 is the TCP IP Protocol.
•The Port # for the telnet service (TCP protocol) is 23. See RFC 1060 for port numbers of 
well-known services.
• Select Equal from the Port # Comp field as you are looking for packets going to port 23 
only.
• Select Drop in the Action Matched field so that the packet will be dropped if its 
destination is the telnet port.
• Select Forward from the Action Not Matched field so that the packet will be forwarded 
if its destination is not the telnet port.
• Press [SPACE BAR] and then [ENTER] to choose this filter rule type. The first filter rule 
type determines all subsequent filter types within a set.
When you press [ENTER] to confirm, you will see the following screen. Note that there is 
only one filter rule in this set.
Menu 21.1.3.1 - TCP/IP Filter Rule
            Filter #: 3,1
            Filter Type= TCP/IP Filter Rule
            Active= Yes
            IP Protocol= 6      IP Source Route= No
            Destination: IP Addr= 0.0.0.0
                         IP Mask= 0.0.0.0
                         Port #= 23
                         Port # Comp= Equal
                 Source: IP Addr= 0.0.0.0
                         IP Mask= 0.0.0.0
                         Port #= 0
                         Port # Comp= None
            TCP Estab= No
            More= No             Log= None
            Action Matched= Drop
            Action Not Matched= Forward
Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle. 
						

							Prestige 334 User’s Guide
267 Chapter 27 Filter Configuration
Figure 143   Example Filter Rules Summary: Menu 21.1.3
This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Ty p e  =  
IP, Pr = 6) for destination telnet ports (DP = 23).
M = N means an action can be taken immediately. The action is to drop the packet (m = D) if 
the action is matched and to forward the packet immediately (n = F) if the action is not 
matched no matter whether there are more rules to be checked (there aren’t in this example).
After you’ve created the filter set, you must apply it. 
1Enter 11 from the main menu to go to menu 11.
2Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER].
3This brings you to menu 11.5. Apply a filter set (our example filter set 3).
4Press [ENTER] to confirm after you enter the set numbers and to leave menu 11.5.
27.4  Filter Types and NAT
There are two classes of filter rules, Generic Filter (Device) rules and protocol filter (TCP/
IP) rules. Generic filter rules act on the raw data from/to LAN and WAN. Protocol filter rules 
act on the IP packets. Generic and TCP/IP filter rules are discussed in more detail in the next 
section. When NAT  (Network Address Translation) is enabled, the inside IP address and port 
number are replaced on a connection-by-connection basis, which makes it impossible to know 
the exact address and port on the wire. Therefore, the Prestige applies the protocol filters to the 
“native” IP address and port number before NAT for outgoing packets and after NAT for 
incoming packets. On the other hand, the generic, or device filters are applied to the raw 
packets that appear on the wire. They are applied at the point when the Prestige is receiving 
and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other 
hardware port. The following diagram illustrates this.
                        Menu 21.1.3 - Filter Rules Summary
 # A Type                       Filter Rules                        M m n
 - - ---- --------------------------------------------------------- - - -
 1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23                       N D F
 2 N
 3 N
 4 N
 5 N
 6 N
                  Enter Filter Rule Number (1-6) to Configure: 
						

							Prestige 334 User’s Guide
Chapter 27 Filter Configuration 268
Figure 144   Protocol and Device Filter Sets
27.5  Firewall Versus Filters
Firewall configuration is discussed in the firewall chapters of this manual. Further 
comparisons are also made between filtering, NAT and the firewall. 
27.6  Applying a Filter 
This section shows you where to apply the filter(s) after you design it (them). The Prestige 
already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, 
FTP and HTTP connections
.
27.6.1  Applying LAN Filters
LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent 
security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that 
you want to apply as appropriate. You can choose up to four filter sets (from twelve) by 
entering their numbers separated by commas, e.g., 3, 4, 6, 11. Input filter sets filter incoming 
traffic to the Prestige and output filter sets filter outgoing traffic from the Prestige. For PPPoE 
or PPTP encapsulation, you have the additional option of specifying remote node call filter 
sets.
Note: If you do not activate the firewall, it is advisable to apply filters 
						

							Prestige 334 User’s Guide
269 Chapter 27 Filter Configuration
Figure 145   Filtering LAN Traffic
27.6.2  Applying Remote Node Filters
Go to menu 11.5 (shown below – note that call filter sets are only present for PPPoE 
encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up 
to four filter sets by entering their numbers separated by commas. The Prestige already has 
filters to prevent NetBIOS traffic from triggering calls.
Figure 146   Filtering Remote Node Traffic
Menu 3.1 - LAN Port Filter Setup
            Input Filter Sets:
              protocol filters=
                device filters=
            Output Filter Sets:
              protocol filters=
                device filters=
Press ENTER to Confirm or ESC to Cancel:
  Menu 11.5 - Remote Node Filter
          Input Filter Sets:
            protocol filters=
              device filters=
          Output Filter Sets:
            protocol filters=
              device filters=
  Enter here to CONFIRM or ESC to CANCEL: