DMZ Firewall Solution for the Express Router
07-12-99 Version 1.0 11
Filters are defined as follows:
Filter Function Settings
— Pass all packets destined for DMZ Default Action: Pass
1 Prevents RIP updates from entering the
DMZ network
Action: Discard
Protocol: UDP
Dest. address type: All
Dest. port: RIP
Src. address type: All
Src. port: All
2 Prevents tunnel packets from entering
the DMZ network
Action: Discard
Protocol: TCP
Dest. address type: All
Dest. port: Tunnel
Src. address type: All
Src. port: All
3 Prevents RSVP packets from entering
the DMZ network/router.
Three separate filters are required.
Action: Discard
Protocol: RSVP
Dest. address type: All
Dest. port : All
Src. address type: All
Src. port : All
4 Action: Discard
Protocol: UDP
Dest. address type: All
Dest. port : = 1698
Src. address type: All
Src. port : All
5 Action: Discard
Protocol: UDP
Dest. address type: All
Dest. port : = 1699
Src. address type: All
Src. port : All
6 Prevents BootP updates from entering
the DMZ network/router.
Action: Discard
Protocol: UDP
Dest. address type: All
Dest. port: 67
Src. address type: All
Src. port: All
7 Prevents Syslog updates from entering
the DMZ network/router
Action: Discard
Protocol: UDP
Dest. address type: All
Dest. port: = 514
Scr. address type: All
Src. port : All
8
Discards all packets that spoof (or fake)
the IP address of the router on LAN1.
This is necessary since these packets
will pass the Tx filter on LAN1.
Action: Discard
Protocol: UDP
Dest. address type: All
Dest. port: All