Jake Schleich wrote: > I just implemented this filter on my Pipe at home: > > In addition to preventing the UDP packet 9 kill, it will also prevent ip > spoofing of local addresses. > So you are covering yourself two ways. > I just quickly fired this off, if there is a mistake please drop me a > line, but I'm pretty sure its ok. > There has been a couplemore entries that are needed. Just in from Ascend.Generic filters.. read below. Kudos to Cyril for identifying the problem. This filter profile will: a) not allow spoofed packets originating from outside your network in identifying themselves as being from your local network. (This is just good all around for security) b) Will fix the UDP discard bug INCOMING and OUTGOING, as opposed to just incoming previously. c) Fixed the Arp table situation Cyril found.. yay.! Again, please let me know of any problems you find with this... everything should be ok.. the spoofing prevention is text book stuff and the Fix is directly from Ascend. Lets give er a try. > 90-504 UDPFIX > > In filter 01 > > >Valid =Yes > > Type = IP > > Generic... > > IP... > -- > Ip... > > Forward=No > > Src mask=255.255.255.X(whatever your subnet is) > > Src Adrs=(fill your NETWORK address in here, not your routers ip) > > Dst Mask=0.0.0.0 > > Dst Adrs=0.0.0.0 > > Protocol=0 > > Src port cmp= none > > Src port #=n/a > > Dst Port Cmp = None > > Dst Port # = N/A > > TCP Estab=N/A > > ====== > If an incoming packet has the local address, do not forward onto > ethernet. > ====== > --- > > In filter 02 > > Ip.. > > Forward=No > > Src msk=255.0.0.0 > > Src Adrs=127.0.0.0 > > Dst Mask and address leave 0.0.0.0 > > Protocol=0 > > Src port Cmp=None > > Dst port cmp=None > > Dst Port #=N/A > > TCP Estab=N/A > ---- > ===== > Sets loopback address, if incoming packet has this address, it will not > be forwarded onto ethernet. > ===== > ---- > > IN Filter 03 > > Ip... > > Forward = No > > Src Mask = 0.0.0.0 > > Src Adrs = 0.0.0.0 > > Dst Mask = 0.0.0.0 > > Dst Adrs = 0.0.0.0 > > Protocol = 17 > > Src Port Cmp = None > > Src Port # = N/A > > Dst Port Cmp = Eql > > Dst Port # = 9 > > TCP Estab = N/A > > --- > ====== > Fixes the Discard port 9 problem > ====== > --- > ==========CHANGES START--INSERT THIS=Out filter 04 >Valid =Yes Type = GENERIC Generic... IP... Generic... >Forward=Yes Offset=0 Length=0 Mask=0000000000000000 Value=0000000000000000 Compare=Equals More=No ======END CHANGE 1========= > In filter 05 > > >Valid =Yes > > Type = IP > > Generic... > > IP... > > Ip... > > Forward = Yes > > Src Mask = 0.0.0.0 > > Src Adrs = 0.0.0.0 > > Dst Mask = 0.0.0.0 > > Dst Adrs = 0.0.0.0 > > Protocol = 0 > > Src Port Cmp = None > > Src Port # = N/A > > Dst Port Cmp = None > > Dst Port # = 0 > > TCP Estab = N/A > ---- > ===== > Make sure the rest gets through > ===== > ---- > > --------- > > Now you must configure OUT filter: > > Out filter 01: > > Ip.. > > Forward=yes > > Src mask=255.255.255.X > > Src Adrs=(your NETWORK address, not router ip) > > Dst Mask=0.0.0.0 > > Dst Adrs= 0.0.0.0 > > Protocol=0 > > Src Port Cmp=None > > Src Port#=N/A > > Dst Port Cmp= None > > Dst Port#=N/A > > TCP Estab=N/A > > --- > ==== > Specifies local net mask and address, if outgoing packet has local > source address let it go out > ==== > (This one may be redundant after adding the new ones below) =============CHANGES START==== Out filter 02 >Valid =Yes Type = IP Generic... IP... Ip... >Forward = No Src Mask = 0.0.0.0 Src Adrs = 0.0.0.0 Dst Mask = 0.0.0.0 Dst Adrs = 0.0.0.0 Protocol = 17 Src Port Cmp = None Src Port # = N/A Dst Port Cmp = Eql Dst Port # = 9 TCP Estab = N/A -- Out filter 03 >Valid =Yes Type = GENERIC Generic... IP... Generic... >Forward=Yes Offset=0 Length=0 Mask=0000000000000000 Value=0000000000000000 Compare=Equals More=No ======END OF ADDITIONAL CHANGES=== > Save (and reset..not sure if u need to, but may as well be safe about > it) > yer all done. > > -- > ================================================== > Jake Schleich (jake@ican.net) > Implementation Administrator -WAN Terminations > ACC Internet Division http://www.ican.net > (416) 207-7142 Corporate Support:(888)ACC-8577 > ================================================== PLEASE IGNORE ANYTHING ELSE APPENDED TO THIS-----------------
-- BEGIN included message
- To: ascend-users@bungi.com
- Subject: Configuring Your filter(Revised)(PipeX)
- From: Jake Schleich <jake@ican.net>
- Date: Tue, 17 Mar 1998 11:08:59 -0500
- Organization: ACC
I just implemented this filter on my Pipe at home: In addition to preventing the UDP packet 9 kill, it will also prevent ip spoofing of local addresses. So you are covering yourself two ways. I just quickly fired this off, if there is a mistake please drop me a line, but I'm pretty sure its ok. 90-504 UDPFIX In filter 01 >Valid =Yes Type = IP Generic... IP... -- Ip... Forward=No Src mask=255.255.255.X(whatever your subnet is) Src Adrs=(fill your NETWORK address in here, not your routers ip) Dst Mask=0.0.0.0 Dst Adrs=0.0.0.0 Protocol=0 Src port cmp= none Src port #=n/a Dst Port Cmp = None Dst Port # = N/A TCP Estab=N/A ====== If an incoming packet has the local address, do not forward onto ethernet. ====== --- In filter 02 Ip.. Forward=No Src msk=255.0.0.0 Src Adrs=127.0.0.0 Dst Mask and address leave 0.0.0.0 Protocol=0 Src port Cmp=None Dst port cmp=None Dst Port #=N/A TCP Estab=N/A ---- ===== Sets loopback address, if incoming packet has this address, it will not be forwarded onto ethernet. ===== ---- IN Filter 03 Ip... Forward = No Src Mask = 0.0.0.0 Src Adrs = 0.0.0.0 Dst Mask = 0.0.0.0 Dst Adrs = 0.0.0.0 Protocol = 17 Src Port Cmp = None Src Port # = N/A Dst Port Cmp = Eql Dst Port # = 9 TCP Estab = N/A --- ====== Fixes the Discard port 9 problem ====== --- In filter 04 >Valid =Yes Type = IP Generic... IP... Ip... Forward = Yes Src Mask = 0.0.0.0 Src Adrs = 0.0.0.0 Dst Mask = 0.0.0.0 Dst Adrs = 0.0.0.0 Protocol = 0 Src Port Cmp = None Src Port # = N/A Dst Port Cmp = None Dst Port # = 0 TCP Estab = N/A ---- ===== Make sure the rest gets through ===== ---- --------- Now you must configure one OUT filter: Out filter 01: Ip.. Forward=yes Src mask=255.255.255.X Src Adrs=(your NETWORK address, not router ip) Dst Mask=0.0.0.0 Dst Adrs= 0.0.0.0 Protocol=0 Src Port Cmp=None Src Port#=N/A Dst Port Cmp= None Dst Port#=N/A TCP Estab=N/A --- ==== Specifies local net mask and address, if outgoing packet has local source address let it go out ==== Save (and reset..not sure if u need to, but may as well be safe about it) yer all done. -- ================================================== Jake Schleich (jake@ican.net) Implementation Administrator -WAN Terminations ACC Internet Division http://www.ican.net (416) 207-7142 Corporate Support:(888)ACC-8577 ==================================================
-- END included message