Novell Documentation: Novell BorderManager 3.8

Monitoring Packet Filtering

To view all the filters that you have created, you can save the filter information to a text file. To create this file, load FILTCFG and select Save Filters to a Text File from the Filter Configuration Available Options menu. You can save the file to any name you prefer, such as MYFILTER.

You can also monitor the operation of the filters you have created to ensure that they are actually filtering the types of packets that you intended for them to filter. For more information on packet filter logging, refer to the packet filtering online documentation.

Packet Filtering Security

Because packet filtering does not inspect the packet's Application-layer data, this solution is the least secure but most efficient of the firewall methods. If the checks are passed successfully, the packet is allowed to be routed through the firewall. However, because this approach requires less processing than the other methods, it is the fastest solution.

Packet filtering has the following advantages:

Client computers require no specific configuration.
Packet filters are faster because they perform less processing.
A single filter rule can deny traffic between internal and external sources.
Packet filters can accept or reject packets according to well-known protocol port numbers (such as TCP port numbers).

Packet filtering has the following limitations:

Packet filters have no alert capability.
Packet filter rules can be difficult to configure.

Two basic security policy philosophies can be applied in packet filtering:

Deny everything that is not permitted.
Permit everything that is not denied.

The default packet filtering mode (secure mode), which is normally selected during Novell BorderManager 3.8 installation, takes the first approach---deny everything. This is the better choice when you initially set up your Novell BorderManager 3.8 server because you are more likely to make mistakes that could compromise security when you first install and configure the server.

When Novell BorderManager 3.8 is installed, a set of default filters prevents access to the Internet without the services of an application proxy or a gateway, as listed in the following table.

Filter Type	Protocol	Setting
IPX^TM Filters
	Outgoing (to Public interface)
	SAP	Deny Service Name * and Service Type FFFFh (All)
	RIP	Deny Network 00000000h and mask 00000000h
	Packet Forwarding	Deny All packets
	Incoming (from Public Interface)
	SAP	Deny Service Name * and Service Type FFFFh (All)
	RIP	Deny Network 00000000h and mask 00000000h
	Packet Forwarding	Deny All packets
IP Filters
	Outgoing (to Public interface)
	RIP	Do not advertise All routes
	EGP	Do not advertise All routes
	Packet Forwarding	Deny All packets
	Incoming (from Public Interface)
	RIP	Do not advertise All routes
	EGP	Do not advertise All routes
	Packet Forwarding	Deny All packets
OSPF Filter	OSPF	Deny All routes
Exception Filters
	Outgoing (to Public interface)
	Packet Forwarding	Allow All packets with destination IP address as the public IP address
	Incoming (from Public Interface)
	Packet Forwarding	Allow All packets coming from the public interface with source IP address as the public IP address and destined to the following ports and protocols:
		TCP port 443---SSL Authentication
		TCP ports 1024 to 65535---Dynamic TCP
		UDP ports 1024 to 65535---Dynamic UDP
		TCP port 213---VPN Master/Slave (IPX)
		TCP port 353 ---VPN Authentication Gateway
		UDP port 353---VPN Keep-Alive
		SKIP (Simple Key Management for Internet Protocol) protocol 57---for VPN
		TCP port 80---World Wide Web (WWW)---HTTP

HINT: The Novell BorderManager 3.8 default filter settings block most traffic into and out of the server until you can configure filters that allow specific types of packets to pass. For this reason, we recommend you set up and configure packet filters after normal business hours to avoid interruption of network traffic.

Packets must be expressly permitted, and they must not be expressly denied; however, the Novell BorderManager 3.8 filter configuration utility (FILTCFG) and iManager^TM (NBM Access Management > Filter Configuration) enable you to make exceptions to either of these conditions. After the packet data is obtained, the filter applies lists of rules: first the exception list, then the filter list. These lists determine what packets can flow to and from the network.

Filter Action Options

Filtering rules in the exception lists and filter lists are applied using one of two filter action options, Deny or Permit.

Deny

If the filter action option is set to Deny Packets in Filter List, the filter list contains the list of packets to deny and the exception list contains the list of packets to permit. Exception filters always take priority over deny filters. If a packet type is not listed in the exception filter list, it is checked against the deny filter list. If the packet type is not listed in either list, it is allowed.

Permit

If the filter action option is set to Permit Packets in Filter List, the filter list contains the list of packets to permit and the exception list contains the list of packets to deny. Exception filters always take priority over permit filters. If a packet type is not listed in the exception filter list, it is checked against the permit filter list. If the packet type is not listed in either list, it is denied.

These two filter action options can be summarized as shown in the following table.

Filter Action	Description
Deny	All packets specified in the exception list are permitted. All packets specified in the filter list are denied. If the Deny mode is enabled and no filters are specified, the router permits all packets to pass.
Permit	All packets specified in the exception list are denied. All packets specified in the filter list are permitted. If the Permit mode is enabled and no filters are specified, the router does not permit any packets to pass.