Filter Example
A filter for blocking the FTP connections from WAN
The Prestige supports the firmware and configuration files upload using FTP connections
via LAN and WAN. So, it is possible that anyone can make a FTP connection over the
Internet to your Prestige. To prevent outside users from connecting to your Prestige via
FTP, you can configure a filter to block FTP connections from WAN.
Before configuring a filter, you need to know the following information:
- The inbound packet type (protocol & port number):
In this case, it is TCP(06) protocol with port 20 or 21.
- The source IP address: In this case, we block all connections from
outside so the source IP is 0.0.0.0.
- The destination IP address: It
is the Prestige's IP address, but it is not available in SUA case since most WAN IP
address is dynamically assigned by the ISP. So, we can only enter 0.0.0.0
as the destination IP in the filter rule. Once 0.0.0.0 is set as the destination IP, no
FTP connections are allowed to reach the Prestige nor the FTP server on the LAN. For the
LAN-to-LAN connection, you enter the Prestige's LAN IP as the destination IP in the filter
rule. After the FTP filter is applied to the remote node, it only blocks the FTP
connection to the Prestige but still permits the FTP connection to the local FTP server.
- Create a filter set in Menu 21, e.g., set 3
- Create two filter rules in Menu 21.3.1 and Menu 21.3.2
- Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20
- Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21
- Apply the filter set in remote node, Menu 11
- Create a filter set in Menu 21
Menu 21 - Filter Set Configuration
Filter
Filter
Set #
Comments
Set # Comments
------
-----------------
------ -----------------
1
NetBIOS_WAN
7 _______________
2
NetBIOS_LAN
8 _______________
3 FTP_WAN
9 _______________
4
_______________
10 _______________
5
_______________
11 _______________
6
_______________
12 _______________
Enter Filter Set Number to Configure= 3
Edit Comments= FTP_WAN
Press ENTER to Confirm or ESC to Cancel:
|
- Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20
Menu 21.3.1 - TCP/IP Filter Rule
Filter #: 3,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 20
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
|
- Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21
Menu 21.3.2 - TCP/IP Filter Rule
Filter #: 1,2
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 21
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward
Press ENTER to Confirm or ESC to Cancel:
|
- When two rules are completed, you can see the rule summary in Menu 21.1
Menu 21.3 - Filter Rules Summary # A
Type
Filter
Rules
M m n
- - ---- ------------------------------------------- - - -
1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0,
DP=20 N D N
2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0,
DP=21 N D F
3 N
4 N
5 N
6 N
|
- Choose the remote node number where you want to block the inbound FTP connections and
apply the filter set in menu 11.5 by selecting the 'Edit Filter Sets' to 'Yes'.
Menu 11.1 - Remote Node Profile Rem Node Name=
hinet
Edit PPP Options= No
Active=
Yes
Rem IP Addr= 0.0.0.0
Call Direction=
Outgoing Edit IP=
No
Incoming:
Telco Option:
Rem Login=
N/A
Transfer Type= 64K
Rem Password=
N/A
Allocated Budget(min)=
Rem CLID=
N/A
Period(hr)=
Call Back=
N/A
Carrier Access Code=
Outgoing:
Nailed-Up Connection= No
My Login=
masterbc
Toll Period(sec)= 0
My Password= ********
Authen=
CHAP/PAP
Session Options:
Pri Phone #=
4125678
Edit Filter Sets= Yes
Sec Phone
#=
Idle Timeout(sec)= 300
Press ENTER to Confirm or ESC to Cancel:
|
- Put the filter set number '3' to the 'Input Protocol Filter Set' in menu 11.5 for activating
the FTP_WAN filter.
Menu 11.5 - Remote Node Filter
Input Filter Sets:
protocol filters= 3
device filters=
Output Filter Sets:
protocol filters=
device filters=
Call Filter Sets:
protocol filters=
device filters=
|
All contents copyright © 1999 ZyXEL Communications
Corporation.