Manualshelf

Installing and Administering PPP

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1 Networking Software
919293949596979899100
92 Chapter 5
Security Techniques
Filter Stanzas
Filter Stanzas
Each filter is composed of a filter name followed by one or more stanzas
(rules). Each packet passing through the interface is compared to the
rules in the stanzas until a match is found, completing the filter
operation. The ordering of the stanzas is therefore extremely important.
Packets may match on many types of values, including:
host or network address
port number
protocol type
IP option
TCP SYN, FIN, ACK and RST bits
direction of traffic
A stanza optionally begins with the negation operator, the exclamation
mark (!). The mark is followed by one or more values and keywords, each
separated by a slash (/). These value and keyword combinations create a
specification for a packet.
An exclamation mark is a powerful specification in any filter rule. If an
exclamation mark is placed at the beginning of a rule, it negates the
action of the stanza’s keyword. For example, compare the defaults for
the Pass and Log filters:
Pass
all
Log
!all
The specification for Pass, and the lack of an exclamation mark, indicates
the default is to pass all packets. On the other hand, the ‘!all’ default
designation for Log means no packets are logged.
Each filter ends with an implicit stanza. The implicit ending stanza is
‘all’ if the last stanza specified is negated by beginning with ‘!’. The
implicit ending stanza is ‘!all’ if the last stanza is not negated. While this
is convenient and makes it unnecessary to actually define the final
"match everything else" stanza, it is a good idea to explicitly specify this
stanza to avoid simple errors that can greatly change the meaning of a
filter.