(ASCEND) Configuring Your filter(Revised)(PipeX)

To: ascend-users@bungi.com
Subject: (ASCEND) Configuring Your filter(Revised)(PipeX)
From: Jake Schleich <jake@ican.net>
Date: Tue, 17 Mar 1998 11:08:59 -0500
Organization: ACC
Sender: owner-ascend-users@max.bungi.com

I just implemented this filter on my Pipe at home:

In addition to preventing the UDP packet 9 kill, it will also prevent ip
spoofing of local addresses.
So you are covering yourself two ways.
I just quickly fired this off, if there is a mistake please drop me a
line, but I'm pretty sure its ok.

90-504 UDPFIX

 In filter 01

 >Valid =Yes

 Type = IP

 Generic...

 IP...
--
Ip...

Forward=No

Src mask=255.255.255.X(whatever your subnet is)

Src Adrs=(fill your NETWORK address in here, not your routers ip)

Dst Mask=0.0.0.0

Dst Adrs=0.0.0.0

Protocol=0

Src port cmp= none

Src port #=n/a

Dst Port Cmp = None

Dst Port # = N/A

TCP Estab=N/A

======
If an incoming packet has the local address, do not forward onto
ethernet.
======
---

In filter 02

Ip..

Forward=No

Src msk=255.0.0.0

Src Adrs=127.0.0.0

Dst Mask and address leave 0.0.0.0

Protocol=0

Src port Cmp=None

Dst port cmp=None

Dst Port #=N/A

TCP Estab=N/A
----
=====
Sets loopback address, if incoming packet has this address, it will not
be forwarded onto ethernet.
=====
----

IN Filter 03


 Ip...

 Forward = No

 Src Mask = 0.0.0.0

 Src Adrs = 0.0.0.0

 Dst Mask = 0.0.0.0

 Dst Adrs = 0.0.0.0

 Protocol = 17

 Src Port Cmp = None

 Src Port # = N/A

 Dst Port Cmp = Eql

 Dst Port # = 9

 TCP Estab = N/A

---
======
Fixes the Discard port 9 problem
======
---

 In filter 04

 >Valid =Yes

 Type = IP

 Generic...

 IP...



 Ip...

 Forward = Yes

 Src Mask = 0.0.0.0

 Src Adrs = 0.0.0.0

 Dst Mask = 0.0.0.0

 Dst Adrs = 0.0.0.0

 Protocol = 0

 Src Port Cmp = None

 Src Port # = N/A

 Dst Port Cmp = None

 Dst Port # = 0

 TCP Estab = N/A
----
=====
Make sure the rest gets through
=====
----

---------

Now you must configure one OUT filter:

Out filter 01:

Ip..

Forward=yes

Src mask=255.255.255.X

Src Adrs=(your NETWORK address, not router ip)

Dst Mask=0.0.0.0

Dst Adrs= 0.0.0.0

Protocol=0

Src Port Cmp=None

Src Port#=N/A

Dst Port Cmp= None

Dst Port#=N/A

TCP Estab=N/A

---
====
Specifies local net mask and address, if outgoing packet has local
source address let it go out
====



Save (and reset..not sure if u need to, but may as well be safe about
it)
yer all done.



--
==================================================
Jake Schleich  (jake@ican.net)
Implementation Administrator -WAN Terminations
ACC Internet Division http://www.ican.net
(416) 207-7142  Corporate Support:(888)ACC-8577
==================================================


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) Configuring Your filter(Revised)(PipeX)

From: Jeremy Bouse <undrgrid@undergrid.net>

Prev by Date: (ASCEND) news.com - Ascend Kill Article
Next by Date: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
Prev by thread: (ASCEND) Re: ascend kill
Next by thread: Re: (ASCEND) Configuring Your filter(Revised)(PipeX)
Index(es):
- Main
- Thread