next up previous contents
Next: Special Considerations for NetBIOS Up: Configuring Access to Services Previous: Gateway Logging Configuration

Restricting Gateways with Packet Filters

The CEQURUX Firewall uses packet filters to control what packets are seen by the TCP/IP stack on the firewall itself. Usually you should not need to alter these packet filters; in fact, doing so may cause problems due to conflicts between the TCP/IP stack and the transparent gateway. Nonetheless, it is possible to customise these packet filters if required. See Section 7.4.6 for more information about how to do this.

These packet filters control which packets are seen by the TCP/IP stack, and not which packets are seen by the transparent gateway, as the latter binds directly to the Ethernet cards below the IP level. The packets seen by the gateway are determined by the set of configured services. There may be occasions when additional constraints need to be imposed on the gateway. For example, if you enable NetBIOS gatewaying, you may want to restrict which hosts can have NetBIOS services gatewayed. Another possibility is to restrict the servers that can be accessed via a TCP or UDP gateway.


  
Figure 4.35: The Gateway TCP Filter Setup Screen
\includegraphics[width=14cm,height=10cm]{gwtcpfilt.ps}


  
Figure 4.36: The Gateway UDP Filter Setup Screen
\includegraphics[width=14cm,height=10cm]{gwudpfilt.ps}

The Gateway TCP and UDP Filters Setup Screens (Figures 4.35 and 4.36) allow transparent gateway-specific packet filters to be created. The fields are:

Action
Whether packets matching this filter should be accepted or dropped. Packets that don't match any filters are accepted by default. The filter rules are applied in turn, so usually you will either use a Deny filter to block a class of packets, or an Accept filter followed by a Deny filter to accept a restricted subset of packets.

Address
The host or network address of the client or server.

Bits
The number of bits of the address to match.

Ports
The range of ports to match. These are specified in the same way as source port restrictions on services.

When
The times of day and days of week that this filter should be applied.

There are two pairs of Address, Bits and Ports fields, for the source and destination. The order is unimportant, so a single filter that matches a packet from a client to a server will also match the packets in the reverse direction.

next up previous contents
Next: Special Considerations for NetBIOS Up: Configuring Access to Services Previous: Gateway Logging Configuration
Copyright © 2004, CEQURUX Technologies