Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (ASCEND) Assistance with Filters
> I've tried to understand filters... but the manual is useless, and the web
> searching has produced little of use.
Well the manual seemed pretty clear to me. What seems to be the problem?
If you just follow your own description of what you are trying to do, you
should be able to create the filter.
#1 - You are trying to create a filter so go to the filter profile.
Main Edit Menu > Ethernet > Filters > [unused filter]
Add a name for the filter [Name=HTTP block]
> I need to block all port 80 (web) OUTGOING (hmm why not incoming) traffic
> from a range of IP addresses... for example 203.xx.xx.21-79 which is the
> ip range of our 60 dialups.
#2 - You say you want an "OUTGOING" filter so select "Output filters..."
Select the first unused filter [say "Out filter 01"]
Enable it by making it a valid filter ["Valid=Yes"]
You are trying to block TCP/IP packets so make it an IP filter ["Type=IP"]
#3 - You are trying to create an IP filter so select "Ip..."
You say you want to block packets so you do not want to forward these
packets ["Forward=No"]
You say you do not want access to port 80 - this would be the destination
port - the port the server is listening on. ["Dst Port Cmp=Eql",
"Dst Port #=80"]
You say you do not want access for the "web", so this would be TCP,
which is IP protocol 6 ["Protocol=6"]
Since you are trying to block the initial connection TCP request,
not just the packets within the connection, use "TCP Estab=No" -
the default (no change needed).
You say you want to block traffic "from" a set of addresses so you need
to use the "Src Adrs" and "Src Mask" fields to add this specification.
This is the only tricky part, since you are not trying to block a
network or subnet but just an arbitrary range of addresses. Your
solutions are to (a) block a larger range of addresses (that matches
a subnet) or (b) to use multiple rules that will block up to the full
range or (c) to use multiple rules, one to block a larger range and
then one or more to enable the necessary exceptions to the rule.
I'll go the easy way and just block some extra addresses, since you
want to "FORCE users" to use the web cache.
You said "21-79". This does not fall fully into either of the 6-bit
subnets 0-63 or 64-127, so picking the 7-bit subnet of 0-127 seems the
only choice.
So you want to match "Src Mask=255.255.255.128" and "Src Adrs=203.xx.xx.0"
And there you have your filter.
90-504
Ip...
Forward=No
Src Mask=255.255.255.128
Src Adrs=203.129.22.0
Dst Mask=0.0.0.0
Dst Adrs=0.0.0.0
Protocol=6
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=Eql
Dst Port #=80
TCP Estab=No
> (hmm why not incoming)
Which interface are you installing your filters on?
LAN A +----+ Pipeline +----+ MAX +----+ LAN B +----+ Router +----+ Internet
If you are putting the filter on the LAN interface of the Pipeline then if you
want to block packets from LAN A, it should be an "Input" filter.
If you are putting the filter on the WAN interface of the Pipeline then if you
want to block packets from LAN A, it should be an "Output" filter.
If you are putting the filter on the WAN interface of the MAX then if you
want to block packets from LAN A, it should be an "Input" filter.
If you are putting the filter on the LAN interface of the MAX then if you
want to block packets from LAN A, it should be an "Output" filter.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>