The IP Filtering window allows you view and modify matching criteria used to selectively block certain IP datagrams from being sent or received. Each row in the table corresponds to a single filter or set of matching criteria.
To Add or Remove a filter table entry, select a row from the table if desired. This will copy the corresponding information to the edit fields in the "Configure Entry" area. Use the edit fields and controls in this area to change the information as desired, and then press "Add" or "Remove" to update the table.
The "Port Name" column specifies the physical port on which the filter will be applied.
The "Direction" column specifies whether the filter is applied to datagrams being sent, or being received from the corresponding port.
The "Action" column specifies whether the filter should reject matching datagrams, or only allow matching datagrams and reject all others.
The "Protocol" column allows the filter to match a specific protocol (from the IP header), or any protocol.
The "Src/Dst" column specifies whether the following fields are used to match the source IP address and port, or the destination IP address and port.
The "Network#" is used to specify a range of IP addresses. The Network# is specified as an IP address followed by a prefix length (also known as a CIDR aggregate). For example: "192.168.0.1/24" matches all IP datagrams for network 192.168.0.x (192.168.0.0-192.168.0.255). You can use the Subnet Calculator to compute the CIDR aggregates for a range of IP addresses. If you omit the prefix length, the entire IP address will be matched (prefix length 32). If you leave the Network# empty (or 0.0.0.0), any IP address will be matched. You can use IP address 0.0.0.1 to represent the dynamically assigned IP address used as the Apparent address for IP masquerading.
The "Port#" is used to specify a range of TCP or UDP protocol port numbers. You can specify a single port number such as "80" or a range of port numbers such as "1-1023". If you leave the Port# empty, any port number will be matched. For ICMP datagrams, the Port# corresponds to the ICMP type. To block all echo requests (pings) for example, you could create a filter to match ICMP type=8.
Each filter is checked in the order listed. If a packet matches a "reject" filter, it is deleted immediately. If a packet matches a "pass" filter, it is allowed through immediately.
If a packet did not match a "pass" filter for that Port Name and Direction, it is deleted after being checked against the entire list. If there are no "pass" filters for that Port Name and Direction, and the packet did not match a reject filter, the packet is allowed through. Filtering is performed before Network Address Translation.
Use the "Refresh" button to update the display of filters currently defined. Any filters you specify will be remembered as part of an IPNetRouter configuration when you Save from the File menu. A maximum of 30 filters can be specified at this time.
Detailed instructions for using IPNetRouter are available on the Sustainable Softworks web site at <http://www.sustworks.com>.
