Inside Annex Filtering

Worldwide Customer Service - Lifecycle Support for Adaptive Networking

Inside Annex Filtering

Last Modified: April 17, 1996

The format of a Annex filtering command is defined as follows:

	add interface direction scope [family] criteria action

Valid Interfaces can be en0, asyN (N=port number), or * (wildcard).
Direction can be INPUT or OUTPUT.
Scope can be INCLUDE or EXCLUDE.
The only supported family currently is IP. It is currently optional.
Criteria can be a combination of valid criteria keywords (and values). See the chapter on Filtering (Chapter 13 of R10.1; Chapter 11 of R9.0 and earlier) as defined in the Annex Network Administrator's Guide for valid criteria.
Actions can be:
- discard -- Silently discard
- icmp ----- Return an "ICMP: Access administratively disabled" message and discard
- syslog --- Syslog but don't discard
- netact --- When Annex Dial-on-Demand routing is used, this action determines which traffic (meeting the filter criteria) keeps the link active.
- no_start - With Dial-on-Demand, affected traffic will keep the link up, but won't bring the link up (new for R10.1).

Rules

Criteria in single filter definition are logically ANDed
An include filter performs the action defined on all packets that match. (The default is "accept the packet normally.")
An exclude filter performs the action defined on all packets that do not match. (The default is "do everything seen in every non-matching filter.")
The actions of successive include filters actions are logically ORed. (ie. Filter if EITHER A OR B)
The actions of successive exclude filters actions are logically NORed. (ie. Filter if NEITHER A NOR B)
Exclude filters have precedence over include filters.

Examples

Filter based on destination address or even the source/destination pair.
Consider the following filter statement:
```
filter: add asy1 input include proto tcp dst_address 192.190.242.17 icmp
```
The first filter prevents all tcp access to host 192.190.242.17, returning an ICMP Admin message back to the perpetrator.

Reject finger requests selectively (per-host or per-net).

filter: add asy1 input include proto tcp dst_address 192.190.242.17 \
        dst_port finger icmp

or more broadly

filter: add asy1 input include proto tcp dst_address 192.190.242.0/24 \
        dst_port finger icmp

Reject SNMP requests selectively (per-host or per-net).

filter: add asy1 input include proto udp dst_address 192.190.242.17 \
        dst_port snmp icmp

or more broadly

filter: add asy1 input include proto udp dst_address 192.190.242.0/24 \
        dst_port snmp icmp

Reject all packets from the Annex to the Ethernet that are not from our two Class C networks.
```
filter: add en0 output exclude address_pair 192.190.242.0/24 * discard
filter: add en0 output exclude address_pair 192.190.243.0/24 * discard
```
Exclude means to perform the action on every packet that does NOT match all of the exclude conditions. Stated another way, we exclude networks 192.190.242.0/24 and 192.190.243.0/24 from being affected by filtering, but toast everyone else. We discard every packet that the Annex tries to send out the Ethernet, UNLESS that packet came from one of our Class C networks.
This filter is used to keep dial-in users from routing packets from foreign networks through the Annex. This is sometimes a problem when students or clients attempt to use your Annex to become "low rent" ISP's.
Reject SNMP and TFTP from reaching the Ethernet, unless they come from our two Class C networks.
```
filter: add en0 output include protocol udp dst_port snmp discard
filter: add en0 output include protocol udp dst_port tftp discard
filter: add en0 output exclude address_pair 192.190.242.0/24 * discard
filter: add en0 output exclude address_pair 192.190.243.0/24 * discard
```
This monster filter would allow any packets coming from our 192.190.242.0 and 192.190.243.0 Class C networks to reach the Ethernet, but would discard any SNMP or TFTP traffic from all other IP addresses.
Mixing include/exclude and actions, just to be confusing.
```
filter: add asy1 in include proto tcp dst_port smtp discard
filter: add asy1 in exclude dst_address 192.190.242.1 syslog
```
This says, if the incoming packet is SMTP traffic for host 192.190.242.1, then discard it. If it is SMTP traffic for any other host, then syslog and discard it. If it is any other traffic for host 192.190.242.1, then accept it. ANYTHING ELSE should be syslog'ed. The exclude in this case implies that the default action of "syslog" for non-matching criteria replaces the "no action" default; an interesting side-effect. The exclude filter exempted 192.190.242.1 from being syslog'ed, but not from being discarded! Got all that? Why not read it again to be absolutely sure.
When both include and exclude filters are seen, then the excludes are logically subtracted from the include. It's useful to consider exclude filters as providing exceptions to include filters. In other words, exclude filters "punch holes" in include filters for similar actions (ie. "discard" or "syslog"). Mixing include/exclude filters *and* mixing actions should be done with extreme care.

Important Note

Filters are actioned immediately. They can be disabled. However a major restriction is that, they're reenabled on a port reset either manually (NA or ADMIN) or by a port to which they apply having DCD dropped. In general, disabling filters is really only useful for debugging, since they almost always come back unless deleted.

Filters can only be listed if a route exists in the Annexes routing cache for the interface, which a filter has been applied. This means that in the case of a dial-in PC Client running PPP or SLIP, a "filter: list" will not return any filters as being active, UNLESS a PC client is currently dialed into to the appropriate Annex interface. Use the "filter: list -e" command to list non-active filters.

Feedback | Service Search | ERC

/tr>