IP Filtering The IP Filtering window allows you view and modify matching criteria used to selectively block certain IP datagrams from being sent or received. Each row in the table corresponds to a single filter or set of matching criteria. To Add or Remove a filter table entry, select a row from the table if desired. This will copy the corresponding information to the edit fields in the "Configure Entry" area. Use the edit fields and controls in this area to change the information as desired, and then press "Add" or "Remove" to update the table. New filters are added at the top of the list. The "Port Name" column specifies the physical port on which the filter will be applied. The "Direction" column specifies whether the filter is applied to datagrams being sent, or being received from the corresponding port. The "Action" column specifies whether the filter should block or pass matching datagrams. If IPNetRouter is configured to dial on demand, "NoDial" will prevent matching datagrams from initiating a PPP connection. The "Protocol" column allows the filter to match a specific protocol (from the IP header), or any protocol. The "TCP Ack" column allows you to specify whether the ACK bit in the TCP header must be zero or one. The "Source Net" and "Dest Net" are used to specify a range of IP addresses for the source and destination address in the IP header. The network number or range of addresses is specified as an IP address followed by a prefix length (also known as a CIDR aggregate). For example: "192.168.0.1/24" matches all IP datagrams to/from network 192.168.0.x (192.168.0.0-192.168.0.255). You can use the Subnet Calculator to compute the CIDR aggregates for a range of IP addresses. If you omit the prefix length, the entire IP address will be matched (prefix length 32). If you leave the network number empty (or 0.0.0.0), any IP address will be matched. You can use IP address 0.0.0.1 to represent the dynamically assigned IP address used as the Apparent address for IP masquerading. The "Source Ports" and "Dest Ports" are used to specify a range of TCP or UDP protocol port numbers. You can specify a single port number such as "80" or a range of port numbers such as "1-1023". If you leave the port range empty, any port number will be matched. For ICMP datagrams, the Source Ports match the ICMP Type and the Dest Ports match the ICMP Code. To block all echo requests (pings) for example, you could create a filter to match ICMP type=8. Each filter is checked in the order listed. If a packet matches a "block" filter, it is deleted immediately. If a packet matches a "pass" filter, it is allowed through immediately (regardless of any block filters that may follow). If a packet does not match any filters, it is allowed through. Filtering is performed before Network Address Translation (NAT) for outgoing packets, and after NAT for incomming packets (so LAN clients can be distinguished). Use the "Refresh" button to update the display of filters currently defined. Any filters you specify will be remembered as part of an IPNetRouter configuration when you Save from the File menu. A maximum of 30 filters can be specified at this time. Detailed instructions for using IPNetRouter are available on the Sustainable Softworks web site at .