Monitoring Packet Filtering

To view all the filters that you have created, you can save the filter information to a text file. To create this file, load FILTCFG and select Save Filters to a Text File from the Filter Configuration Available Options menu. You can save the file to any name you prefer, such as MYFILTER.

You can also monitor the operation of the filters you have created to ensure that they are actually filtering the types of packets that you intended for them to filter. For more information on packet filter logging, refer to the packet filtering online documentation.


Packet Filtering Security

Because packet filtering does not inspect the packet's Application-layer data, this solution is the least secure but most efficient of the firewall methods. If the checks are passed successfully, the packet is allowed to be routed through the firewall. However, because this approach requires less processing than the other methods, it is the fastest solution.

Packet filtering has the following advantages:

Packet filtering has the following limitations:

Two basic security policy philosophies can be applied in packet filtering:

The default packet filtering mode (secure mode), which is normally selected during Novell BorderManager 3.8 installation, takes the first approach---deny everything. This is the better choice when you initially set up your Novell BorderManager 3.8 server because you are more likely to make mistakes that could compromise security when you first install and configure the server.

When Novell BorderManager 3.8 is installed, a set of default filters prevents access to the Internet without the services of an application proxy or a gateway, as listed in the following table.

Filter Type

Protocol

Setting

IPXTM Filters

 

 

 

Outgoing (to Public interface)

 

 

SAP

Deny Service Name * and Service Type FFFFh (All)

 

RIP

Deny Network 00000000h and mask 00000000h

 

Packet Forwarding

Deny All packets

 

Incoming (from Public Interface)

 

 

SAP

Deny Service Name * and Service Type FFFFh (All)

 

RIP

Deny Network 00000000h and mask 00000000h

 

Packet Forwarding

Deny All packets

IP Filters

 

 

 

Outgoing (to Public interface)

 

 

RIP

Do not advertise All routes

 

EGP

Do not advertise All routes

 

Packet Forwarding

Deny All packets

 

Incoming (from Public Interface)

 

 

RIP

Do not advertise All routes

 

EGP

Do not advertise All routes

 

Packet Forwarding

Deny All packets

OSPF Filter

OSPF

Deny All routes

Exception Filters

 

 

 

Outgoing (to Public interface)

 

 

Packet Forwarding

Allow All packets with destination IP address as the public IP address

 

Incoming (from Public Interface)

 

 

Packet Forwarding

Allow All packets coming from the public interface with source IP address as the public IP address and destined to the following ports and protocols:

 

 

TCP port 443---SSL Authentication

 

 

TCP ports 1024 to 65535---Dynamic TCP

 

 

UDP ports 1024 to 65535---Dynamic UDP

 

 

TCP port 213---VPN Master/Slave (IPX)

 

 

TCP port 353 ---VPN Authentication Gateway

 

 

UDP port 353---VPN Keep-Alive

 

 

SKIP (Simple Key Management for Internet Protocol) protocol 57---for VPN

 

 

TCP port 80---World Wide Web (WWW)---HTTP

HINT:  The Novell BorderManager 3.8 default filter settings block most traffic into and out of the server until you can configure filters that allow specific types of packets to pass. For this reason, we recommend you set up and configure packet filters after normal business hours to avoid interruption of network traffic.

Packets must be expressly permitted, and they must not be expressly denied; however, the Novell BorderManager 3.8 filter configuration utility (FILTCFG) and iManagerTM (NBM Access Management > Filter Configuration) enable you to make exceptions to either of these conditions. After the packet data is obtained, the filter applies lists of rules: first the exception list, then the filter list. These lists determine what packets can flow to and from the network.


Filter Action Options

Filtering rules in the exception lists and filter lists are applied using one of two filter action options, Deny or Permit.


Deny

If the filter action option is set to Deny Packets in Filter List, the filter list contains the list of packets to deny and the exception list contains the list of packets to permit. Exception filters always take priority over deny filters. If a packet type is not listed in the exception filter list, it is checked against the deny filter list. If the packet type is not listed in either list, it is allowed.


Permit

If the filter action option is set to Permit Packets in Filter List, the filter list contains the list of packets to permit and the exception list contains the list of packets to deny. Exception filters always take priority over permit filters. If a packet type is not listed in the exception filter list, it is checked against the permit filter list. If the packet type is not listed in either list, it is denied.

These two filter action options can be summarized as shown in the following table.

Filter Action Description

Deny

All packets specified in the exception list are permitted.

All packets specified in the filter list are denied.

If the Deny mode is enabled and no filters are specified, the router permits all packets to pass.

Permit

All packets specified in the exception list are denied.

All packets specified in the filter list are permitted.

If the Permit mode is enabled and no filters are specified, the router does not permit any packets to pass.