Filter Example
A filter for blocking the FTP connections from WAN
The Prestige 324 supports the firmware and configuration files upload using FTP
connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over
the Internet to your Prestige 324. To prevent outside users from connecting to your
Prestige 324 via FTP, you can configure a filter to block FTP connections from WAN.
Before configuring a filter, you need to know the following information:
- The inbound packet type (protocol & port number):
In this case, it is TCP(06) protocol with port 20 or 21.
- The source IP address: In this case, we block all connections from
outside so the source IP is 0.0.0.0.
- The destination IP address: It
is the Prestige 324's IP address, but it is not available in SUA case since most WAN IP
address is dynamically assigned by the ISP. So, we can only enter 0.0.0.0
as the destination IP in the filter rule. Once 0.0.0.0 is set as the destination IP, no
FTP connections are allowed to reach the Prestige 324 nor the FTP server on the LAN. For the
LAN-to-LAN connection, you enter the Prestige 324's LAN IP as the destination IP in the
filter rule. After the FTP filter is applied to the remote node, it only blocks the FTP
connection to the Prestige 324 but still permits the FTP connection to the local FTP server.
- Create a filter set in Menu 21, e.g., set 4
- Create two filter rules in Menu 21.4.1 and Menu 21.4.2
- Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20
- Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21
- Apply the filter set in remote node, Menu 11
- Create a filter set in Menu 21
Menu 21 - Filter Set Configuration
Filter
Filter
Set #
Comments
Set # Comments
------
-----------------
------ -----------------
1
NetBIOS_WAN
7 _______________
2
NetBIOS_LAN
8 _______________
3
Telnet_WAN
9 _______________
4 FTP_WAN
10 _______________
5
_______________
11 _______________
6
_______________
12 _______________
Enter Filter Set Number to Configure= 4
Edit Comments= FTP_WAN
Press ENTER to Confirm or ESC to Cancel:
|
- Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20
Menu 21.4.1 - TCP/IP Filter Rule
Filter #: 4,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 20
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:
|
- Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21
Menu 21.4.2 - TCP/IP Filter Rule
Filter #: 4,2
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 21
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward
Press ENTER to Confirm or ESC to Cancel:
|
- When two rules are completed, you can see the rule summary in Menu 21.1
Menu 21.4 - Filter Rules Summary # A
Type
Filter
Rules
M m n
- - ---- ------------------------------------------- - - -
1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0,
DP=20 N D N
2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0,
DP=21 N D F
3 N
4 N
5 N
6 N
|
- Choose the remote node number where you want to block the inbound FTP connections and
apply the filter set in menu 11.5 by selecting the 'Edit Filter Sets' to 'Yes'.
- Put the filter set number '4' to the 'Input Protocol Filter Set' in menu 11.5 for activating
the FTP_WAN filter.
Menu 11.5 - Remote Node Filter
Input Filter Sets:
protocol filters= 4
device filters=
Output Filter Sets:
protocol filters=
device filters=
|
All contents copyright © 1999 ZyXEL Communications
Corporation.