Manualshelf

User manual

ManualsBrandsAlvarion ManualsNetworkingBreezeNET B300 GigE
191192193194195196197198199200
Chapter 4 - Layer 3 Command Set - IP Networking Ipfw Command (IP Firewall)
Alvarion BreezeNET B130/B300 GigE 184 Operational User Manual
communications between your network and the external world pass through the
rf5.0 interface):
ipfw add rf5.0 accept tcp from 0/0 to 0/0 900:5000
ipfw add rf5.0 reject tcp from 0/0 to 0/0
The first of these filters accepts packets from external sources to ports from 900 to
5000 on the inner network hosts (normally assigned to internal clients). The
second filter rejects all the rest.
Unfortunately, this is not enough. Some internal servers may be assigned port
numbers within the 900 to 5000 range, and the above filter set would allow access
to those servers for external clients. The problem consists in restricting external
access to your servers having such port numbers while leaving them open for
internal access. One of the possible solutions is to reject any attempt from an
external client to establish a TCP connection with an internal server.
The tcp_connection modifier makes it possible to do:
ipfw add rf5.0 reject tcp_connection from 0/0 to 0/0 900:5000
ipfw add rf5.0 accept tcp from 0/0 to 0/0 900:5000
ipfw add rf5.0 reject tcp from 0/0 to 0/0
The first filter in the above filter set wards off any attempt of TCP connection
establishment from outside clients to your internal servers with port numbers 900
to 5000. The second filter authorizes any other incoming TCP packets aimed at
port numbers within the same range; and the third filter rejects all other TCP
packets.
This (unreliable) UDP protocol
Unlike the connection-oriented TCP protocol, the UDP protocol sends separate
packets (datagrams). In this protocol every packet is transmitted independently
from all others, and if there is a logical connection or session between a client and
a server communicating through UDP, such connection or session exists between
higher layer application entities only, and is invisible to UDP.
As all UDP packets are independent of each other, a UDP packet header bears no
information on whether it is a client to server or a server to client packet (in fact,
UDP users are all equal in rights; the terms client and server cannot be defined
explicitly).
Therefore, the only recipe we can propose is to define as precisely as possible the
range or set of those UDP port numbers which are allowed to communicate with
the outer world.