Re: (ASCEND) Packet Filtering Load

To: ascend-users@bungi.com (Ascend Mailing List)
Subject: Re: (ASCEND) Packet Filtering Load
From: Joe Pautler <pautler@grasshopper.cit.buffalo.edu>
Date: Tue, 21 Apr 1998 08:55:22 -0400 (EDT)
In-Reply-To: <199804201302.JAA13697@mail.eclipse.net> from "Erich" at Apr 20, 98 08:06:36 am
Sender: owner-ascend-users@max.bungi.com

Erich wrote:
]
]We are concidering adding a filter to the default user profile. This
]would cause filtering of *all* packets in our Maxen.
]
]1) Has anyone else done this?

we have the following filter in our default profile:

# "inbound" and "outbound" are with respect to the Max, on the
# dialin (remote user) interface.  All offsets are calculated
# based on ethernet frames.
#
# 1. Drop all incoming packets that have an IP header length of anything
#    other than 05....in other words, drop all packets with IP options.
# 2. Forward all outbound packets from tcp port 20 (ftp-data).
#    This is to let the TCP SYN packets through.
# 3. Forward all outbound packets destined for tcp port 113 (ident).
#    This is to let the TCP SYN packets through.
# 4. Make sure it's a TCP packet and...
#    5. Forward outbound packets destined for TCP ports 6000-6007
#       This allows for exported Xwindow displays.
# 6. Make sure it's a TCP packet and...
#    7. Drop outbound TCP packets with SYN=1 && ACK=0.
#       These are packets trying to initiate a TCP connection.
# 8. Forward all inbound IP packets that have made it to this rule.
# 9. Forward all outbound IP packets that have made it to this rule.

         Ascend-Data-Filter = "generic in drop 14 0f 05 !=",
         Ascend-Data-Filter = "ip out forward tcp srcport = ftp-data",
         Ascend-Data-Filter = "ip out forward tcp dstport = 113",
         Ascend-Data-Filter = "generic out forward 23 ff 06 more",
          Ascend-Data-Filter = "generic out forward 36 fff8 1770",
         Ascend-Data-Filter = "generic out drop 23 ff 06 more",
          Ascend-Data-Filter = "generic out drop 47 12 02",
         Ascend-Data-Filter = "ip in forward 0 0 0",
         Ascend-Data-Filter = "ip out forward 0 0 0",


]Does this cause any significant 
]degredation of routing speed?

we haven't had any problems.  although we've only had the box in production
for a few months, and it has always been like this - so we don't have
anything to really compare it with.  i did some single user tests
with and without the filter, and didn't find any difference...but that
was with only one user on the box.



]2) Does anyone know of any Mibs or commands to check processor load? 
]3) If so, what is the load we do not want to pass?

i really hope someone from ascend can address those questions.  i've seen
them asked here multiple times, but have never seen an official answer.

___________________________________________________________________________
Joe Pautler, E.I.T.                             University at Buffalo
CIT/OSS Network Engineering                     224 Computing Center
http://www.oss.buffalo.edu/~pautler             (716) 645-3536

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) Packet Filtering Load

From: "Erich (Rick) Reinecker" <ewr@eclipse.net>

Prev by Date: (ASCEND) Dialing out thru a TNT/4000 from a unix platform
Next by Date: Re: (ASCEND) No 56Kflex connections on 4048
Prev by thread: (ASCEND) Packet Filtering Load
Next by thread: (ASCEND) P75 NAT work around.
Index(es):
- Main
- Thread