To view all the filters that you have created, you can save the filter information to a text file. To create this file, load FILTCFG and select
from the menu. You can save the file to any name you prefer, such as MYFILTER.You can also monitor the operation of the filters you have created to ensure that they are actually filtering the types of packets that you intended for them to filter. For more information on packet filter logging, see Novell BorderManager 3.9 Administration Guide .
Because packet filtering does not inspect the packet’s Application-layer data, this solution is the least secure but most efficient of the firewall methods. If the checks are passed successfully, the packet is allowed to be routed through the firewall. However, because this approach requires less processing than the other methods, it is the fastest solution.
Packet filtering has the following advantages:
Client computers require no specific configuration.
Packet filters are faster because they perform less processing.
A single filter rule can deny traffic between internal and external sources.
Packet filters can accept or reject packets according to well-known protocol port numbers (such as TCP port numbers).
Packet filtering has the following limitations:
Packet filters have no alert capability.
Packet filter rules can be difficult to configure.
Two basic security policy philosophies can be applied in packet filtering:
Deny everything that is not permitted.
Permit everything that is not denied.
The default packet filtering mode (secure mode), which is normally selected during Novell BorderManager installation, takes the first approach—deny everything. This is the better choice when you initially set up your Novell BorderManager server because you are more likely to make mistakes that could compromise security when you first install and configure the server.
When Novell BorderManager is installed, a set of default filters prevents access to the Internet without the services of an application proxy or a gateway, as listed in the following table:
Table 2-6 Default packet filtering mode
HINT:The Novell BorderManager default filter settings block most traffic into and out of the server until you can configure filters that allow specific types of packets to pass. For this reason, we recommend that you set up and configure packet filters after normal business hours to avoid interruption of network traffic.
Packets must be expressly permitted, and they must not be expressly denied. However, you can make exceptions to either of these conditions through iManager. After the packet data is obtained, the filter applies lists of rules: first the exception list, then the filter list. These lists determine what packets can flow to and from the network.
Filtering rules in the exception lists and filter lists are applied using one of two filter action options, Deny or Permit.
If the filter action option is set to
, the filter list contains the list of packets to deny and the exception list contains the list of packets to permit. Exception filters always take priority over deny filters. If a packet type is not listed in the exception filter list, it is checked against the deny filter list. If the packet type is not listed in either list, it is allowed.If the filter action option is set to
, the filter list contains the list of packets to permit and the exception list contains the list of packets to deny. Exception filters always take priority over permit filters. If a packet type is not listed in the exception filter list, it is checked against the permit filter list. If the packet type is not listed in either list, it is denied.These two filter action options can be summarized as shown in the following table.
Table 2-7 Filter Action Options