Introduction to IP packet filtering

HUAWEI

For any packet a router needs to transfer, first obtain its packet header information and then compare it with the set rules.Whether to transfer or to discard a packet depends on the comparison results.The key technology to implement packet filtering is access control list.

OK
WAN

Rule database

www.huawei.com

Why is access control list needed?

HUAWEI

Refuse some undesired access. Access control list can distinguish packets.

Internet

Headquarters of a company

Internal server

www.huawei.com

HUAWEI

Another use of access control list

Specify what packets can use trigger dial-up Ensure that "these packets" implement "these services"

Specify what packets can use trigger dial-up

PSTN
Router

Router

www.huawei.com

What is access control list?

HUAWEI

An IP packet is shown as below (the upper-layer protocol that IP bears in the figure is TCP):

IPh e a d e r

T C Ph e a d e r

Data

Protocol number Source address Destination address

Source port Destination port

Access control list uses the rules defined by these elements.

www.huawei.com

How to identify access control list?

HUAWEI

Identify access control list in numbers Identify the kinds of access control list by means of a number range.
Rangeforanumberto identify 1-99 100199

Kinds of list IP standard list IP extended list

www.huawei.com

How to use wildcard-mask

HUAWEI

W ildcard-m ask is sim ilar to a subnet-m ask, but is written differently:

0 means that comparison is needed 1 means that comparison is ignored

W ildcard-m a s k , w h e n u s e d i n c o m b ination with an IP address, can describe an address range.

0 0 255 0 0 255 0 255 255 255 255 0 only the first 24 bits to be compared only the first 16 bits to be compared only the latter 8 bits to be compared

www.huawei.com

Standard access control list

HUAWEI

Standard access control list uses only the source address description to show whether to enable or to disable
Packets from 202.110.10.0/24 can pass!

Packets from 192.110.10.0/24 cannot pass!

Router

www.huawei.com

Standard access control list

HUAWEI

The command to configure standard access control lis is in the following format:
access-list [normal|special] listnumber { permit | deny } ip-address [ wildcard-mask ]

www.huawei.com

Extended access control list

HUAWEI

E x t ended ac cess cont rol l i st u s es m or e information description packets besides source address to show whether to enable or to disable.

Packets from 202.110.10.0/24 to 179.100.17.10 which use TCP protocols and gain access via HTTP can pass!

Router

www.huawei.com

HUAWEI

Configuration commands of extended access control list

C o n figuretheextendedaccesslistofTC P /UDPprotocols: access-list [norm a l|special]listnum b e r{perm it | d e n y }{tcp|udp} source-addr[source-mask] dest-addr [dest-mask][operator port1 [port2] ] [log] C o n figuretheextendedaccesslist of IC M Pp rotocol: access-list [norm a l|special]listnum b e r{perm it | d e n y } icm psource-addr[source-mask]dest-addr dest-mask [ icm p -type[icm p -code] ] [log] C o n figuretheextendedaccesslistofotherprotocols: access-list [ norm al | special ] listnumber { p e r m it | deny } protocol source-addr [ source-mask ] d e s t - a d d r [ d e s t - m a s k ] [log]
www.huawei.com

HUAWEI

The meaning of operate in extended access control list

Operationalcharacter a n ds y n t a x eg portnumber gt portnum b e r lt portnum b e r neg portnumber range portnumber1 portnumber2

M e a n i n g Equaltoportnumber Morethanportnumber Lessthanportnumber Notequaltoportnumber Betweenportnumber1and portnumber2

www.huawei.com

Examples of extended access control list

HUAWEI

1 0 0d e n yicm p1 0 .1.0.00.0.255.255anyhost-redirect TheICMPhostunreachablepacketsfromthenetworksegment10.1.0.0aredisabled topass 100denytcp129.9.0.0 0.0.255.255 202.38.160.0 0.0.0.255eqwwwlog Theruleserialnumberis100.Theconnectionbetweenthehostwithinthenetworksegment129.9.0.0 andthewwwport(80)ofthehostwithinthenetworksegment202.38.160.0 isdisabled. Andanyeventviolatingthisrulewil berecordedinalog. 102denyudp129.9.8.0 0.0.0.255 202.38.160.0 0.0.0.255gt128 Theruleserialnumberis102.Theconnectionbetweenthehostwithinthenetworksegment129.9.8.0 andtheUDP (portnumbermorethan128)ofthehostwithinthenetworksegment202.38.160.0 is disabled.

www.huawei.com

HUAWEI

Combination of multiple rules

Access list may be composed of multiple rules Multiple rules use the same serial number The basis to judge a conflicted rule is "depth". That is, the smaller the address range is, the higher priority it will be. The judging of a depth depends on the combined comparison of wildcard-mask with an IP address access-list 4 deny 202.38.0.0 0.0.255.255 access-list 4 perm it 202.38.160.1 0.0.0.255 T h e c o m b ining of two rules m e a n s d i s a b l i n g t h e a c c e s s o f t h e h o s t s w i t h i n a l a r g e n e t w o r k s e g m ent (202.38.0.0), but enabling that of a sm all num b e r o f hosts (202.38.160.0).
www.huawei.com

How to validate access control list?

HUAWEI

Use the serial number of access control list Apply access control list to an interface Identify whether it is O U Td irectionorINdirectionatthe interface
The access control list 101 applies to the interface Ethernet0 and is effective in out direction The access control list 3 applies to the interface Serial0 and is effective in in direction

Ethernet0

Serial0

www.huawei.com

HUAWEI

Basic configuration task of access control list

The following steps are basically necessary to configure access control list:
Enable/disableafirewall(thedefaultvalueofQ u idwayseriesroutersistodisablethefirewall function) D e fineaccesscontrollist(standardorextended) Applyaccesscontrollisttoaninterface

The following applications can be extended as required:

Set the default filtering m ode of a firew a ll Enable/disable the filtering of a tim es e g m e n t Set special tim es e g m e n t Specifyaloghost D isplaytheconfigurationstatus www.huawei.com

HUAWEI

Attribute configuration commands of firewall

Firewall command
firewall { enable | disable }

Firewall default command

firewall default { permit|deny }

Show firewall command

show firewall

www.huawei.com

Packet filtering based on time segment

HUAWEI

"Special rules for special time segments"

W A N

During working hours (8:00 a.m.-- 5:00p.m.), only special sites can be accessed. Other sites can be accessed during other time.

Rules database based on time segment

www.huawei.com

Configuration commands of time segment

HUAWEI

timerange
timerange { enable|disable }

[no] settr
settr begin-time end-time [ begin-time end-time ...... ] no settr

show isintr
show isintr

show timerange
show timerange
www.huawei.com

Configuration commands of log function

HUAWEI

Log function is to enable any firewall operation to be recorded on a special host: logging on is used to start a log system logging host is used to configure relevant attributes
such as log host address and so on show logging is used to display log configuration information

There are abundant log functions. For details, please refer to corresponding configuration manual.
www.huawei.com

Networking diagram
HUAWEI

server Telnet server WWW server FTP

Company Intranet

PC Internal specified

WAN

External specified user

www.huawei.com

Configuration steps
HUAWEI

There are the following steps in actual applications: Enable/disable a firewall (the default value of Quidway series routers is to disable the firewall function) Define an extended access control list Apply an access control list to an interface

www.huawei.com

Key points in this chapter

HUAWEI

Principles of packet filtering. Configuration principles of a standard access list. Configuration principles of an extended access list. Quote an access control list at a port to implement firewall function
www.huawei.com