-
Notifications
You must be signed in to change notification settings - Fork 321
IPFilter
IPFilter — Click element; filters IP packets by contents
IPFilter(ACTION_1 PATTERN_1, ..., ACTION_N PATTERN_N)
Ports: 1 input, any number of outputs
Processing: push
Filters IP packets. IPFilter can have an arbitrary number of filters, which are ACTION-PATTERN pairs. The ACTIONs describe what to do with packets, while the PATTERNs are tcpdump-like patterns; see IPClassifier for a description of their syntax. Packets are tested against the filters in order, and are processed according to the ACTION in the first filter that matched.
Each ACTION is either a port number, which specifies that the packet should be
sent out on that port; 'allow', which is equivalent to '0'; or 'drop'
, which means drop the packet. You can also say 'deny' instead of
'drop'.
The IPFilter element has an arbitrary number of outputs. Input packets must have their IP header annotation set; CheckIPHeader and MarkIPHeader do this.
Every IPFilter element has an equivalent corresponding IPClassifier element and vice versa. Use the element whose syntax is more convenient for your needs.
This large IPFilter implements the incoming packet filtering rules for the
"Interior router" described on pp691-692 of Building Internet Firewalls,
Second Edition (Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman,
O'Reilly and Associates, 2000). The captialized words (INTERNALNET,
BASTION, etc.) are addresses that have been registered with
AddressInfo. The rule FTP-7 has a port range that cannot be implemented
with IPFilter.
IPFilter(// Spoof-1:
deny src INTERNALNET,
// HTTP-2:
allow src BASTION && dst INTERNALNET
&& tcp && src port www && dst port > 1023 && ack,
// Telnet-2:
allow dst INTERNALNET
&& tcp && src port 23 && dst port > 1023 && ack,
// SSH-2:
allow dst INTERNALNET && tcp && src port 22 && ack,
// SSH-3:
allow dst INTERNALNET && tcp && dst port 22,
// FTP-2:
allow dst INTERNALNET
&& tcp && src port 21 && dst port > 1023 && ack,
// FTP-4:
allow dst INTERNALNET
&& tcp && src port > 1023 && dst port > 1023 && ack,
// FTP-6:
allow src BASTION && dst INTERNALNET
&& tcp && src port 21 && dst port > 1023 && ack,
// FTP-7 omitted
// FTP-8:
allow src BASTION && dst INTERNALNET
&& tcp && src port > 1023 && dst port > 1023,
// SMTP-2:
allow src BASTION && dst INTERNAL_SMTP
&& tcp && src port 25 && dst port > 1023 && ack,
// SMTP-3:
allow src BASTION && dst INTERNAL_SMTP
&& tcp && src port > 1023 && dst port 25,
// NNTP-2:
allow src NNTP_FEED && dst INTERNAL_NNTP
&& tcp && src port 119 && dst port > 1023 && ack,
// NNTP-3:
allow src NNTP_FEED && dst INTERNAL_NNTP
&& tcp && src port > 1023 && dst port 119,
// DNS-2:
allow src BASTION && dst INTERNAL_DNS
&& udp && src port 53 && dst port 53,
// DNS-4:
allow src BASTION && dst INTERNAL_DNS
&& tcp && src port 53 && dst port > 1023 && ack,
// DNS-5:
allow src BASTION && dst INTERNAL_DNS
&& tcp && src port > 1023 && dst port 53,
// Default-2:
deny all);
- program (read-only) — Returns a human-readable definition of the program the IPFilter element is using to classify packets. At each step in the program, four bytes of packet data are ANDed with a mask and compared against four bytes of classifier pattern.
IPClassifier, Classifier, CheckIPHeader, MarkIPHeader, CheckIPHeader2, AddressInfo, tcpdump
Generated by click-elem2man from ../elements/ip/ipfilter.hh:7 on 2017/10/17.