Filter

How does ZyXEL filter work?



Conceptually, there are two categories of filter rules: device and protocol. The Generic filter rules belong to the device category; they act on the raw data from/to LAN and WAN. The IP and IPX filter rules belong to the protocol category; they act on the IP and IPX packets.

In order to allow users to specify the local network IP address and port number in the filter rules with SUA connections, the TCP/IP filter function has to be executed before SUA for WAN outgoing packets and after the SUA for WAN incoming IP packets. But at the same time, the Generic filter rules must be applied at the point when the Prestige is receiving and sending the packets; i.e. the ISDN interface. So, the execution sequence has to be changed. The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow for the packet from LAN to WAN is:

  1. LAN device and protocol input filter sets.
  2. WAN protocol call and output filter sets.
  3. If SUA is enabled, SUA converts the source IP address from 192.168.1.33 to 203.205.115.6 and port number from 1023 to 4034.
  4. WAN device output and call filter sets.

The sequence of the logic flow for the packet from WAN to LAN is:

  1. WAN device input filter sets.

  2. If SUA is enabled, SUA converts the destination IP address from 203.205.115.6 to 92.168.1.33 and port number from 4034 to 1023.

  3. WAN protocol input filter sets.

  4. LAN device and protocol output filter sets.

Generic and TCP/IP (and IPX) filter rules are in different filter sets. The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21. In the following example, you will receive an error message 'Protocol and device filter rules cannot be active together' if you try to activate a TCP/IP (or IPX) filter rule in a filter set that has already had one or more active Generic filter rules. You will receive the same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP/IP (or IPX) filter rules.

Menu 21.1.1:


                         Menu 21.1.1 - Generic Filter Rule

                    Filter #: 1,1
                    Filter Type= Generic Filter Rule
                    Active= Yes
                    Offset= 0
                    Length= 0
                    Mask= N/A
                    Value= N/A
                    More= No          Log= None
                    Action Matched= Check Next Rule
                    Action Not Matched= Check Next Rule

 

Menu 21.1.2:


                         Menu 21.1.2 - TCP/IP Filter Rule

                    Filter #: 1,2
                    Filter Type= TCP/IP Filter Rule
                    Active= Yes
                    IP Protocol= 0   IP Source Route= No
                    Destination: IP Addr= 0.0.0.0
                                 IP Mask= 0.0.0.0
                                 Port #= 0
                                 Port # Comp= None
                         Source: IP Addr= 0.0.0.0
                                 IP Mask= 0.0.0.0
                                 Port #= 0
                                 Port # Comp= None
                    TCP Estab= N/A
                    More= No          Log= None
                    Action Matched= Check Next Rule
                    Action Not Matched= Check Next Rule

                    Press ENTER to Confirm or ESC to Cancel:
Saving to ROM.  Please wait...
Protocol and device rule cannot be active together

To separate the device and protocol filter categories; two new menus, Menu 11.5 and Menu 13.1, have been added, as well as some changes made to the Menu 3.1, Menu 11.1, and Menu 13. The new fields are shown below.

Menu 3.1:


                        Menu 3.1 - General Ethernet Setup

                    Input Filter Sets:
                      protocol filters=
                        device filters=

                    Output Filter Sets:
                      protocol filters=
                        device filters=

 

Menu 11.1:


                    Menu 11.1 - Remote Node Profile

     Rem Node Name= abc                   Edit PPP Options= No
     Active= Yes                          Rem IP Addr= 0.0.0.0
     Call Direction= Outgoing             Edit IP= No
                                          
     Incoming:                            Telco Option:
       Rem Login=  N/A                      Transfer Type= 64K
       Rem Password= N/A                    Allocated Budget(min)=
       Rem CLID= N/A                          Period(hr)=
       Call Back= N/A                       Schedules=  
     Outgoing:                              Carrier Access Code=
       My Login= wxyz                     Nailed-Up Connection= No
       My Password= ********                Toll Period(sec)= 0
       Authen= CHAP/PAP                   Session Options:
       Pri Phone #= 140812345678            Edit Filter Sets= Yes
       Sec Phone #= 140822345678            Idle Timeout(sec)= 100

                    Press ENTER to Confirm or ESC to Cancel:

 

Menu 11.5:


                         Menu 11.5 - Remote Node Filter

                    Input Filter Sets:
                      protocol filters=
                        device filters=
                    Output Filter Sets:
                      protocol filters=
                        device filters=
                    Call Filter Sets:
                      protocol filters=
                        device filters=

 

Menu 13:

 

                       Menu 13 - Default Dial-in Setup

     Telco Options:                       IP Address Supplied By:
       CLID Authen= None                    Dial-in User= Yes
                                            IP Pool= Yes
     PPP Options:                             IP Start Addr= 123.234.111.163
       Recv Authen= CHAP/PAP                  IP Count(1,4)= 4
       Compression= Yes
       Mutual Authen= No                 Session Options:
         O/G Username= N/A                 Edit Filter Sets= Yes  
         O/G Password= N/A               
       Multiple Link Options:                 
         Max Trans Rate(Kbps)= 128
                                          
     Callback Budget Management:            
       Allocated Budget(min)= 0             
       Period(hr)= 0                        

                  Press ENTER to Confirm or ESC to Cancel:

 

Menu 13.1:


                       Menu 13.1 - Default Dial-in Filter

                    Input Filter Sets:
                      protocol filters=
                        device filters=
                    Output Filter Sets:
                      protocol filters=
                        device filters=

 

SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3.1, 11.5, or 13.1, or entering a device filter set to the protocol filters field. Even though SMT will prevent the inconsistency from being entered in ZyNOS, it is unable to resolve the intermixing problems existing in the filter sets that were configured before. Instead, when ZyNOS translates the old configuration into the new format, it will verify the filter rules and log the inconsistencies. Please check the system log (Menu 24.3.1) before putting your device into use.

Running the Prestige with wrong filter rules may cause it to keep the ISDN line perpetually active, and/or allow undesired traffic to pass to the outside world, and receive unwanted outside traffic. The first case may incur an enormous ISDN bill; the second may lead to a data security hazard.

In order to avoid operational problems later, the Prestige will disable its routing/bridging functions if there is an inconsistency among its filter rules.
 


All contents copyright © 1999 ZyXEL Communications Corporation.