SafeFire Links

v1.3a

Packet Filter Guide and Reference

Contents

  1. Introduction
  2. General concepts
  3. Packet filter configuration
  4. Rule description syntax
  5. Sample rules

Introduction

This document describes Packet Filter (PF) feature of SafeFire Links.

Following explanation assumes some knowledge of the basic principles of TCP/IP networking, i.e. what is an IP address, what is an IP protocol (service) and what is a TCP/UDP port number. Also, general understanding what is an IP packet and what is a packet header is required.

Return to Contents

General Concepts

The packet filter is one of the main facilities for protection of an internal network from illegal access.

The main idea of the packet filter is quite simple. Each packet, which is going through PF has some specific information located in a packet header. PF compares this information with so called 'rules' contained in special database. Each rule contains set of matching parameters and declares an action (permit or deny). When an exact match is found the declared action is performed.

Set of matching parameters can include:

Return to Contents

Configuration

SafeFire Links package contains several sample configurations. Different configurations may use up to three packet filters. Each filter is configured independently through appropriate section in configuration file.

Each section consists of the following variables:

Return to Contents

Rule description syntax

Each rule has the following syntax:

[<number>] action [log] protocol source destination [extra[,...]]

where

Return to Contents

Samples

Some sample rules are provided below. Note that there are no complete set of rules applicable for any configuration but these rules can be used as a starting point. Note that enable variable for appropriate filter should be set to on or yes. Special note for novices: as usual to encourage documentation study some samples intentionaly contain errors so beware and trust doc not samples.

Return to documentation index SafeFire Links (C) Link Guard Solutions 1999, 2000