Re: (ASCEND) Part II-Configuring Your filter(FIXED)(PipeX)

To: Bennie Warren <bennie@lemoorenet.com>, ascend-users@bungi.com
Subject: Re: (ASCEND) Part II-Configuring Your filter(FIXED)(PipeX)
From: Jake Schleich <jake@ican.net>
Date: Wed, 18 Mar 1998 09:55:30 -0500
Organization: ACC
References: <1321948353-38585362@lemoorenet.com>
Sender: owner-ascend-users@max.bungi.com
I had a problem of another sort here as well. It seems when the source
address is defined in this filter it is denying all
packets from going through.. at least while I was logged in remotely to my
network at home.

I have since turned off the IN filter that defines the src adrs and src mask.
The rest of the filter profile seems to work fine.
It will still not allow packets in that are defined as coming from localhost,
but not the exact subnet you are on.
Mine was a 255.255.255.248 subnet, and while this all seems to follow the
example in the manual.. it doesnt seem to work.
Oh well, go with what works I guess. The basic filter I posted will work with
no problem at all, so if worse comes to worse, use that.

So turn OFF the IN filter that specifies src adrs= (your network address)

Cheers
Jake

ps-
Technically though the subnet you defined is a /25 aggregate. So you have
defined for 128 IP's, (.128 subnet mask).
Inside C -2
Anyway, I would just double check your ip range characteristics, I'm not an
expert on this, but I have run into
problems trying to specify ranges that are technically a class B address,
where I was trying to define them as a C.
(That happened on a Novell Client.. I had no choice at that point but to
request reprovision of new IPs to that customer)
Anyway, I'm sure one of these other IP junkies could give you the down and
dirty on why the max doesnt like these settings.


Bennie Warren wrote:

> I could please use some help. I put the following addresses down for mask
> and max address and get an error telling me to many bits in subnet for
> the address. You said not the routers IP so any idea what goes here.
> Thanks
>
> Bennie
>
> > 90-504 UDPFIX
> >
> >  In filter 01
> >
> >  >Valid =Yes
> >
> >  Type = IP
> >
> >  Generic...
> >
> >  IP...
> > --
> > Ip...
> >
> > Forward=No
> >
> > Src mask=255.255.255.X(whatever your subnet is)
> I put 255.255.255.128 here
> >
> > Src Adrs=(fill your NETWORK address in here, not your routers ip)
> 207.126.88.130 here
> >
> > Dst Mask=0.0.0.0
> >
> > Dst Adrs=0.0.0.0
> >
> > Protocol=0
> >
> > Src port cmp= none
> >
> > Src port #=n/a
> >
> > Dst Port Cmp = None
> >
> > Dst Port # = N/A
> >
> > TCP Estab=N/A
> >
> > ======
> > If an incoming packet has the local address, do not forward onto
> > ethernet.
> > ======
> > ---
> >
> > In filter 02
> >
> > Ip..
> >
> > Forward=No
> >
> > Src msk=255.0.0.0
> >
> > Src Adrs=127.0.0.0
> >
> > Dst Mask and address leave 0.0.0.0
> >
> > Protocol=0
> >
> > Src port Cmp=None
> >
> > Dst port cmp=None
> >
> > Dst Port #=N/A
> >
> > TCP Estab=N/A
> > ----
> > =====
> > Sets loopback address, if incoming packet has this address, it will not
> > be forwarded onto ethernet.
> > =====
> > ----
> >
> > IN Filter 03
> >
> >  Ip...
> >
> >  Forward = No
> >
> >  Src Mask = 0.0.0.0
> >
> >  Src Adrs = 0.0.0.0
> >
> >  Dst Mask = 0.0.0.0
> >
> >  Dst Adrs = 0.0.0.0
> >
> >  Protocol = 17
> >
> >  Src Port Cmp = None
> >
> >  Src Port # = N/A
> >
> >  Dst Port Cmp = Eql
> >
> >  Dst Port # = 9
> >
> >  TCP Estab = N/A
> >
> > ---
> > ======
> > Fixes the Discard port 9 problem
> > ======
> > ---
> >
>
> ==========CHANGES START--INSERT THIS=Out filter 04
>  >Valid =Yes
>   Type = GENERIC
>   Generic...
>   IP...
>
>  Generic...
>
>  >Forward=Yes
>   Offset=0
>   Length=0
>   Mask=0000000000000000
>   Value=0000000000000000
>   Compare=Equals
>   More=No
>
> ======END CHANGE 1=========
>
> >  In filter 05
> >
> >  >Valid =Yes
> >
> >  Type = IP
> >
> >  Generic...
> >
> >  IP...
> >
> >  Ip...
> >
> >  Forward = Yes
> >
> >  Src Mask = 0.0.0.0
> >
> >  Src Adrs = 0.0.0.0
> >
> >  Dst Mask = 0.0.0.0
> >
> >  Dst Adrs = 0.0.0.0
> >
> >  Protocol = 0
> >
> >  Src Port Cmp = None
> >
> >  Src Port # = N/A
> >
> >  Dst Port Cmp = None
> >
> >  Dst Port # = 0
> >
> >  TCP Estab = N/A
> > ----
> > =====
> > Make sure the rest gets through
> > =====
> > ----
> >
> > ---------
> >
> > Now you must configure  OUT filter:
> >
> > Out filter 01:
> >
> > Ip..
> >
> > Forward=yes
> >
> > Src mask=255.255.255.X
> >
> > Src Adrs=(your NETWORK address, not router ip)
> >
> > Dst Mask=0.0.0.0
> >
> > Dst Adrs= 0.0.0.0
> >
> > Protocol=0
> >
> > Src Port Cmp=None
> >
> > Src Port#=N/A
> >
> > Dst Port Cmp= None
> >
> > Dst Port#=N/A
> >
> > TCP Estab=N/A
> >
> > ---
> > ====
> > Specifies local net mask and address, if outgoing packet has local
> > source address let it go out
> > ====
> > (This one may be redundant after adding the new ones below)
>
> =============CHANGES START==== Out filter 02
>  >Valid =Yes
>   Type = IP
>   Generic...
>   IP...
>
>  Ip...
>  >Forward = No
>   Src Mask = 0.0.0.0
>   Src Adrs = 0.0.0.0
>   Dst Mask = 0.0.0.0
>   Dst Adrs = 0.0.0.0
>   Protocol = 17
>   Src Port Cmp = None
>   Src Port # = N/A
>   Dst Port Cmp = Eql
>   Dst Port # = 9
>   TCP Estab = N/A
> --
>  Out filter 03
>  >Valid =Yes
>   Type = GENERIC
>   Generic...
>   IP...
>
>  Generic...
>
>  >Forward=Yes
>   Offset=0
>   Length=0
>   Mask=0000000000000000
>   Value=0000000000000000
>   Compare=Equals
>   More=No
>
> ======END OF ADDITIONAL CHANGES===
>
> > Save (and reset..not sure if u need to, but may as well be safe about
> > it)
> > yer all done.
> >
> > --
> > ==================================================
> > Jake Schleich  (jake@ican.net)
> > Implementation Administrator -WAN Terminations
> > ACC Internet Division http://www.ican.net
> > (416) 207-7142  Corporate Support:(888)ACC-8577
> > ==================================================
>
>  PLEASE IGNORE ANYTHING ELSE APPENDED TO THIS-----------------
>
> Date: Tue, 17 Mar 1998 11:08:59 -0500
> From: Jake Schleich <jake@ican.net>
> Subject: Configuring Your filter(Revised)(PipeX)
>
> I just implemented this filter on my Pipe at home:
>
> In addition to preventing the UDP packet 9 kill, it will also prevent ip
> spoofing of local addresses.
> So you are covering yourself two ways.
> I just quickly fired this off, if there is a mistake please drop me a
> line, but I'm pretty sure its ok.
>
> 90-504 UDPFIX
>
>  In filter 01
>
>  >Valid =Yes
>
>  Type = IP
>
>  Generic...
>
>  IP...
> --
> Ip...
>
> Forward=No
>
> Src mask=255.255.255.X(whatever your subnet is)
>
> Src Adrs=(fill your NETWORK address in here, not your routers ip)
>
> Dst Mask=0.0.0.0
>
> Dst Adrs=0.0.0.0
>
> Protocol=0
>
> Src port cmp= none
>
> Src port #=n/a
>
> Dst Port Cmp = None
>
> Dst Port # = N/A
>
> TCP Estab=N/A
>
> ======
> If an incoming packet has the local address, do not forward onto
> ethernet.
> ======
> ---
>
> In filter 02
>
> Ip..
>
> Forward=No
>
> Src msk=255.0.0.0
>
> Src Adrs=127.0.0.0
>
> Dst Mask and address leave 0.0.0.0
>
> Protocol=0
>
> Src port Cmp=None
>
> Dst port cmp=None
>
> Dst Port #=N/A
>
> TCP Estab=N/A
> ----
> =====
> Sets loopback address, if incoming packet has this address, it will not
> be forwarded onto ethernet.
> =====
> ----
>
> IN Filter 03
>
>  Ip...
>
>  Forward = No
>
>  Src Mask = 0.0.0.0
>
>  Src Adrs = 0.0.0.0
>
>  Dst Mask = 0.0.0.0
>
>  Dst Adrs = 0.0.0.0
>
>  Protocol = 17
>
>  Src Port Cmp = None
>
>  Src Port # = N/A
>
>  Dst Port Cmp = Eql
>
>  Dst Port # = 9
>
>  TCP Estab = N/A
>
> ---
> ======
> Fixes the Discard port 9 problem
> ======
> ---
>
>  In filter 04
>
>  >Valid =Yes
>
>  Type = IP
>
>  Generic...
>
>  IP...
>
>  Ip...
>
>  Forward = Yes
>
>  Src Mask = 0.0.0.0
>
>  Src Adrs = 0.0.0.0
>
>  Dst Mask = 0.0.0.0
>
>  Dst Adrs = 0.0.0.0
>
>  Protocol = 0
>
>  Src Port Cmp = None
>
>  Src Port # = N/A
>
>  Dst Port Cmp = None
>
>  Dst Port # = 0
>
>  TCP Estab = N/A
> ----
> =====
> Make sure the rest gets through
> =====
> ----
>
> ---------
>
> Now you must configure one OUT filter:
>
> Out filter 01:
>
> Ip..
>
> Forward=yes
>
> Src mask=255.255.255.X
>
> Src Adrs=(your NETWORK address, not router ip)
>
> Dst Mask=0.0.0.0
>
> Dst Adrs= 0.0.0.0
>
> Protocol=0
>
> Src Port Cmp=None
>
> Src Port#=N/A
>
> Dst Port Cmp= None
>
> Dst Port#=N/A
>
> TCP Estab=N/A
>
> ---
> ====
> Specifies local net mask and address, if outgoing packet has local
> source address let it go out
> ====
>
> Save (and reset..not sure if u need to, but may as well be safe about
> it)
> yer all done.
>
> --
> ==================================================
> Jake Schleich  (jake@ican.net)
> Implementation Administrator -WAN Terminations
> ACC Internet Division http://www.ican.net
> (416) 207-7142  Corporate Support:(888)ACC-8577
> ==================================================
>
> ----------------- End Forwarded Message -----------------
>
> **************************************
> Bennie Warren             /\
> LemooreNet               / /
> 320 West D Street       / /
> Lemoore, CA  93245     / /    /\    /\
> Phone:  209.924.5909  / /_ _ /  \  / /
> Fax  209.924.9578     \ _ _ / /\ \/ /
> bennie@lemoorenet.com      / /  \  /
> http://www.lemoorenet.com /_/    \/
> **************************************



--
==================================================
Jake Schleich  (jake@ican.net)
Implementation Administrator -WAN Terminations
ACC Internet Division http://www.ican.net
(416) 207-7142  Corporate Support:(888)ACC-8577
==================================================


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>
Prev by Date: RE: (ASCEND) PRI Config question
Next by Date: Re: (ASCEND) In Defense Of Ascend... Virus anyone?
Prev by thread: Re: (ASCEND) filter port 139
Next by thread: (ASCEND) Contrib: kill users script
Index(es):
- Main
- Thread