IPX Filter

IPX Filter

Syntax Description

Usage Guidelines

Allowing Non-Filtered IP Packets

IPX Filter

This section allows you to define, edit and name a set of IPX filtering rules. The named set of filtering rules may then be associated with either the IPX input or output filtering attributes of an interface. This method allows the greatest flexibility since common rules may be established and applied independently to the inbound and outbound interfaces.

edit config IPX Filter "Name"

Syntax Description

"Name"

A unique name, up to 16 characters with spaces allowed, for this filter set.

"Name"	A unique name, up to 16 characters with spaces allowed, for this filter set.

Usage Guidelines

The rules are applied in the order they were written. When you select multiple filter sets for an interface, they are read from first to last as you entered them.

Allowing Non-Filtered IP Packets

When you specify a rule, even if it is only a deny rule, the interface automatically rejects all packets unless you explicitly allow them. To allow all other packets not filtered, make the last rule:

permit

Filter Rule Syntax

After entering the edit config command, and then the append command, enter one or more filter rules using the following syntax:

{permit | deny}[type operator IPX_packet_type_number]
[srcnet operator network_number]
[dstnet operator network_number]
[srcnode operator node_address]
[dstnode operator node_address]
[srcskt operator socket_number]
[dstskt operator socket_number]
[log]

Options

permit | deny

permit specifies that packets meeting the conditions should be passed through the filter.

deny specifies that packets meeting the conditions should be dropped by the filter.

operator

Specifies a range of the characteristic to compare to the packet's characteristics. For example, if you specify srcnet = FFFFFFFE, then all packets with the source network FFFFFFFE are filtered.

Equals. Use one of the following arguments:

eq

==

=

Less Than. Use one of the following arguments:

lt

<

Less Than or Equal To. Use one of the following arguments:

lteq

le

<=

=<

Greater Than. Use one of the following arguments:

gt

>

Greater Than or Equal To. Use one of the following arguments:

gteq

ge

>=

=>

Does not Equal. Use one of the following arguments:

ne

<>

!=

type operator IPX_packet_type_number

This rule allows filtering on the IPX packet type. The IPX_packet_type_number is specified as a hex number. The keyword all may be used to specify all packet types.

For some versions of NetWare, the packet type field is not a reliable indicator of the type of packet encapsulated by the IPX header. Generally, the source and destination socket fields should be used to implicitly filter the packet type. NetBIOS propagate packets (type 14h) are an exception to this rule.

srcnet operator network_number

This rule allows filtering on the source network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values.

dstnet operator network_number

This rule allows filtering on the destination network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values.

srcnode operator node_address

This rule allows filtering on the source node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node_address is specified as an Ethernet address, which is six hexadecimal octets separated by dots (.) or colons (:) (e.g., 0.0.A5.0.0.1 or 0:0:A5:0:0:1). The keyword all may be used to specify all node values.

dstnode operator node_address

This option allows filtering of the source node from the AppleTalk DDP header. The node value must be between 1 and 253.

srcskt operator socket_number

This rule allows filtering on the destination node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node_address is specified as shown above for srcnode. The keyword all may be used to specify all node values.

dstskt operator socket_number

This rule allows filtering on the destination socket number in the IPX header. The IPX socket number is specified as a hex value. The keyword all may be used to specify all socket values. The keywords listed above for srcskt may also be used.

log

The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the Logging section for more information about logging.

permit \| deny	permit specifies that packets meeting the conditions should be passed through the filter. deny specifies that packets meeting the conditions should be dropped by the filter.
operator	Specifies a range of the characteristic to compare to the packet's characteristics. For example, if you specify srcnet = FFFFFFFE, then all packets with the source network FFFFFFFE are filtered.
	Equals. Use one of the following arguments: eq == = Less Than. Use one of the following arguments: lt < Less Than or Equal To. Use one of the following arguments: lteq le <= =<	Greater Than. Use one of the following arguments: gt > Greater Than or Equal To. Use one of the following arguments: gteq ge >= => Does not Equal. Use one of the following arguments: ne <> !=
type operator IPX_packet_type_number	This rule allows filtering on the IPX packet type. The IPX_packet_type_number is specified as a hex number. The keyword all may be used to specify all packet types. For some versions of NetWare, the packet type field is not a reliable indicator of the type of packet encapsulated by the IPX header. Generally, the source and destination socket fields should be used to implicitly filter the packet type. NetBIOS propagate packets (type 14h) are an exception to this rule.
srcnet operator network_number	This rule allows filtering on the source network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values.
dstnet operator network_number	This rule allows filtering on the destination network number in the IPX header. The network number is specified as a hex value in the range of 1 to FFFFFFFE. The keyword all may be used to specify all network number values.
srcnode operator node_address	This rule allows filtering on the source node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node_address is specified as an Ethernet address, which is six hexadecimal octets separated by dots (.) or colons (:) (e.g., 0.0.A5.0.0.1 or 0:0:A5:0:0:1). The keyword all may be used to specify all node values.
dstnode operator node_address	This option allows filtering of the source node from the AppleTalk DDP header. The node value must be between 1 and 253.
srcskt operator socket_number	This rule allows filtering on the destination node address in the IPX header. The only operators allowed on node addresses are equality and inequality. The node_address is specified as shown above for srcnode. The keyword all may be used to specify all node values.
dstskt operator socket_number	This rule allows filtering on the destination socket number in the IPX header. The IPX socket number is specified as a hex value. The keyword all may be used to specify all socket values. The keywords listed above for srcskt may also be used.
log	The log option causes the device to log data about the packet to syslog when the condition of the rule is met. See the Logging section for more information about logging.

Examples

Drop all packets where the source network number is greater than or equal to 1000 and permit all other packets.

[ IPX Filter "deny-1000" ]
deny srcnet >= 1000
permit

Drop all packets from a specific IPX node and network and permit all other packets.

[ IPX Filter "beatles" ]
deny srcnet = FAB4 srcnode = 0.0.A5.0.0.1
permit

Drop all packets where the source socket is a diagnostic packet, log the denial and permit all other packets through.

[ IPX Filter "diagnostic" ]
deny srcskt = DIAG log
permit

Related Commands

Command Description

configure IPX

Configures IPX parameters for an interface

configure Logging

Configures logging options

edit config IPX Route Filter

Creates IPX route filters

edit config IPX SAP Filter

Creates IPX server filters

show ipx

Shows IPX configuration and routing

Command	Description
configure IPX	Configures IPX parameters for an interface
configure Logging	Configures logging options
edit config IPX Route Filter	Creates IPX route filters
edit config IPX SAP Filter	Creates IPX server filters
show ipx	Shows IPX configuration and routing

Table of Contents