Compatible Systems - Filtering: Frequently Asked Questions

Document ID: 17599

Questions

Introduction
Does the set up of filter sets affect the performance of the router to forward packets?
What does a basic IP filter set look like?
How do I distinguish between normal and passive mode ftp in my IP filter rules?
Can Compatible Systems device filters be configured to prevent IP spoofing?
I understand the 3000E does not support IP packet filtering. Is there an upgrade that would allow it?
I want to place remote devices (home computers) that attach across the WAN in their own zone and prevent unnecessary broadcast traffic. I want to use the 3000E to hide the remote zones so that only the segment between the remote site and the 3000E can see that these zones exist. I can set up the zone filtering to not allow NBP lookups through the router, but is there any way to configure the 3000E to not propagate the zone names through?
How does filtering in Compatible Systems devices react if a manufactured fin packet is received to elicit a response from a firewall, router, or host?
Is the fin packet for a non-existent connection dropped, or does it receive a reply? If it receives a reply, what information is included in the reply?
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document answers frequently asked questions about Compatible Systems - Filtering.

Filters are very well documented in the Text-Based Configuration and Command Line Management Reference Guide. The CompatiView Management Software Reference Guide also provides you with the basics to get you started.

Additional Resources:

Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. O'Reilly & Associates, 1995
Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin. Addison-Wesley Publishing Company, Reading Massachusetts, 1994

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Q. Does the set up of filter sets affect the performance of the router to forward packets?

A. Yes, the more filters you have, the more it affects the throughput. The more network traffic you have, the more it affects the throughput. Whether or not you are able to detect the difference is not known; run some tests with and without the filters.

Q. What does a basic IP filter set look like?

A. Here is a look at a basic INPUT filter on a WAN port: a.b.c.0 is normally the network Class C IP address. If you have a subnet of a Class C, the form is this:

a.b.c.d/e, where a.b.c.d is the network IP address and e is the number of bits in the subnet mask.

For a Class C, d is 0 and e is 24.0.0.0.0 is the "wild card" source and destination IP address.

deny a.b.c.0 0.0.0.0 ip
permit 0.0.0.0 0.0.0.0 tcp est

permit 0.0.0.0 0.0.0.0 udp src = 53
permit 0.0.0.0 0.0.0.0 tcp dst = 25
permit 0.0.0.0 0.0.0.0 tcp src = 25
permit 0.0.0.0 0.0.0.0 tcp dst = 80
permit 0.0.0.0 0.0.0.0 tcp dst = ftp
permit 0.0.0.0 0.0.0.0 tcp src > 1023 dst > 1023
permit 0.0.0.0 0.0.0.0 tcp dst = 110
permit 0.0.0.0 0.0.0.0 tcp src = 110

# anti-spoofing filter allows responding packets for
# tcp sessions originating from your net

# dns from other servers
# email to your smtp servers
# email from outside smtp servers
# access to your web servers
# ftp command port to your server
# ftp data port for passive mode ftp
# email to your pop server
# email from outside pop server

Q. How do I distinguish between normal and passive mode ftp in my IP filter rules?

A. There are two modes of ftp, normal and passive. In the normal mode, the client opens the command channel to the server, and then the server opens the data channel to the client. In the passive mode, the client opens both command and data channels.

In the first example, the client opens a connection from the Internet to the server at 206.5.130.3 on the LAN on the Ethernet port of the router. In the second example, the client is on the LAN, and the server is on the Internet.

Example 1 - Internet client to LAN server

This filter set is INPUT on the WAN.

This is the "est" rule:
permit 0.0.0.0 0.0.0.0 tcp est
# Normal mode ftp
# Client opens command channel to server and tells# the server which port number to send to.
permit 0.0.0.0 206.5.130.3 tcp dst = ftp
In the normal mode, since the server then opens a data channel from port 20 to the client, and the filter is an INPUT WAN filter, the packets that return for this session are covered by the tcp "est" rule. The "est" rule is all that is needed.
# Passive mode ftp
# Client opens command channel to server and
# requests passive mode.
permit 0.0.0.0 206.5.130.3 tcp dst = ftp
# Client opens data channel to server's second port
permit 0.0.0.0 206.5.130.3 tcp src > 1023 dst > 1023
In passive mode, two ports that are > 1023 communicate with each other.

Example 2 - LAN client to Internet server

Here are the rules when the client is on your LAN behind the router, and the server is somewhere out there on the Internet.

This filter set is INPUT on the WAN.

This is the "est" rule:
permit 0.0.0.0 0.0.0.0 tcp est
# Normal mode ftp
# You open the command channel to the server.
# Responses to this are covered by the tcp "est" rule.
# Server opens data channel to you.
permit 0.0.0.0 0.0.0.0 tcp src = ftp-data
# Passive mode ftp
# You open the command channel to the server.
# Responses to this are covered by the tcp "est" rule.
# You open the data channel to the server.
# Responses to this are covered by the tcp "est" rule.
For the passive mode, you do not need to permit anything except the tcp "est" packets.

Q. Can Compatible Systems device filters be configured to prevent IP spoofing?

A. "The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network..." says CERT in an advisory. Yes. The only routers that do not support IP packet filters are the 1000R and 3000E.

In order to prevent spoofing, you want two rules that look like this:
deny x.x.x.0/24 0.0.0.0 IP
permit 0.0.0.0 0.0.0.0 IP
Where x.x.x.0/24 is your Class C address. (This assumes you have an entire class C.) This is a limited filter set. The last rule is to permit all other traffic since the default mechanism of the filtering function is to drop all packets not specifically permitted by the filter rules on a port.

Q. I understand the 3000E does not support IP packet filtering. Is there an upgrade that would allow it?

A. The 3000E never supports IP packet filters since the Flash EPROM, which holds the system software, is full.

Q. I want to place remote devices (home computers) that attach across the WAN in their own zone and prevent unnecessary broadcast traffic. I want to use the 3000E to hide the remote zones so that only the segment between the remote site and the 3000E can see that these zones exist. I can set up the zone filtering to not allow NBP lookups through the router, but is there any way to configure the 3000E to not propagate the zone names through?

A. The 3000E does not have a way to filter zone names. If the dial-in users use a PPP client at home and not a router there, the remote site does not send unnecessary traffic across the link since it essentially does proxy (on the Ethernet) for these devices. Only traffic destined for those devices is passed.

Q. How does filtering in Compatible Systems devices react if a manufactured fin packet is received to elicit a response from a firewall, router, or host?

A. In general, a fin packet does no harm to the router or firewall and only is passed through if the device is configured to permit the packet through.

In its default configuration, the IntraGuard silently drops the packet. This action is logged and kept in the reject table for five minutes.

In a router, the static (standard) IP filtering code must be configured to drop the packet. The router must be configured with a broad filter to deny all packets, either from the sending host to the receiving host, to the destination port from the source port, or any combination of these conditions.

Q. Is the fin packet for a non-existent connection dropped, or does it receive a reply? If it receives a reply, what information is included in the reply?

A. The IntraGuard can be configured to permit the packet through, send an ICMP destination unreachable message, send a TCP reset, or both, in addition to the default, which is to silently drop the packet.

The static filters of a router can be configured to send an ICMP destination unreachable message to packets that are denied.

In either case, the reply packet appears to come from the destination host and is a correctly formed response packet.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

NetPro Discussion Forums - Featured Conversations for Router and IOS Architecture

Network Infrastructure: LAN Routing and Switching

Network Infrastructure: WAN Routing and Switching

Related Information

Technical Support & Documentation - Cisco Systems

Updated: Apr 12, 2002

Document ID: 17599

Hierarchical Navigation

Cisco Compatible Micro Router Series