The IP access list is a security procedure through that the Abilis CPX executes control, basing on base addresses and the requested services, and check functionalities on the datagrams in transit from and to Abilis CPX.
Transit datagrams are filtered and then selected basing on the information carried by the header (source address and destination, internet protocol version and numbers of logical port) and not on their content. Two ways of filtering are allowed:
STD (Standard): in this case the such called "address filtering" procedure is executed; only IP source and destination addresses of the packet are checked.
EXT (Extended): in this case the "service filtering" procedure is executed; not only IP source and destination addresses of the packet are checked but also the internet protocol version and for TCP, UDP protocols the logical port numbers (indeed also the requested service).
By defining suitable filters in the IP access list it is so possible to set which data can transit and which no. This list provide two different kinds of filters:
| Filter type | Meaning |
|---|---|
| PERMIT | Permitted to transit. |
| DENY | Denied to transit. |
Filters also allow assigning each datagram data flow a different service class:
| Service class | Meaning |
|---|---|
| HIGH | Service class "HIGH". |
| NORMAL | Service class "NORMAL". |
| LOW | Service class "LOW". |
Usually the service classes are also called "priorities" so that it is possible to speak of "the traffic prioritisation"; further on the filter priorities will be introduced, the User should not confuse the two definition of priority, with the latter it is meant the evaluation order of filters.
Moreover it is possible to activate the cryptographic functionalities of data content in datagrams:
| Parameters related tot the cryptographic functions | Description |
|---|---|
| CRKEY: | Cryptography key to be used. |
| CRDIR: | Cryptography direction (encode decode). |
Filters can be added, modified, deleted from the IP access list during Abilis CPX working mode, without needing to restart it. Changes are immediately active.
The IP access list can store up to 256 filters definitions.
All the commands for IP routing management are described in the section IP access list of the chapter Commands related to the IP Router.
The available commands are:
A IPACLHere is an example on how to display all the filters.
As it is possible to note, the filter identifiers represent the verifying priority and they are automatically kept in sequential order.
[18:14:08] ABILIS_CPX: D IPACL
IPRTR (PO:900) parameters: ACL:NO ACLBYPASS:#
COS:DISABLED COSDFT:NORMAL
Tot-IPACL-Number:4
-------------------------------------------------------------------------------
PR: TYPE: SA: DA:
IPCOS: PROT: SPO:/PO: DPO:
SIPP: DIPP: CRDIR: CRKEY:
-------------------------------------------------------------------------------
0 PERMIT 001.001.001.001 002.002.002.002
DFT tcp telnet(23)
-------------------------------------------------------------------------------
1 DENY 001.001.001.001 002.002.002.002
ospf
-------------------------------------------------------------------------------
2 PERMIT 001.001.001.001 002.002.002.002
LOW udp snmp(161) *
* INT NONE
-------------------------------------------------------------------------------
3 PERMIT * *
LOW * *
* * ENCRYPT DFT
-------------------------------------------------------------------------------
This description desn't display information about parameters whose values are the default ones. They will be only displayed if their values have been changed from the default ones. In such way, the description of single entry is simply contained in two rows.
Single filter displaying:
[18:14:08] ABILIS_CPX: D IPACL PR:1
IPRTR (PO:900) parameters: ACL:NO ACLBYPASS:#
COS:DISABLED COSDFT:NORMAL
Tot-IPACL-Number:3
-------------------------------------------------------------------------------
PR: TYPE: SA: DA:
IPCOS: PROT: SPO:/PO: DPO:
SIPP: DIPP: CRDIR: CRKEY:
-------------------------------------------------------------------------------
1 DENY 001.001.001.001 002.002.002.002
ospf
-------------------------------------------------------------------------------
| PR: | Filter priority (The 0 priority is the highest) |
| none | from 0 up to 255 |
The priority index set the filter verifying order. The verifying procedure is executed on each datagram that has to be routed.
It starts from the filter with priority 0 and continues until the suitable datagram will be found or the list will end.
If the IP datagram doesn't match any filter, it will be routed; if the IP services class functionality is activated, the Router will assign to the datagram the default priority set in the parameter "COSDFT" of the port IPRTR.
The filter index is also use by the adding, modifying and deleting commands for referring to it.
Priority indexes, every time a filter is added or deleted, in the list are automatically kept in sequential order.
| TYPE: | It sets the filter type |
| none | DENY, PERMIT |
This command set whether the datagram, matching the filter, have to be routed (filter matched type "PERMIT") or discharded (filter matched type "DENY").
Datagrams that don‘t match any filter are always routed with the default priority.
| IPCOS: | It sets the Service classes assigned to datagram (Only for TYPE:PERMIT) |
| DFT | DFT (or D), HIGH (or H), NORMAL (or N), LOW (or L) |
This parameter is displayed and configurable only for "PERMIT" filters type. It is considered only if the IP classes service are activated (parameter COS:,of the IPRTR port, set to "ENABLED").
The following values are allowed:
| Allowed values for the service class. | Meaning |
|---|---|
| DFT (or D) | Default service class, the one set in the COSDFT: parameter of the IPRTR port, is assigned to datagram. |
| HIGH (or H) | "High" service class is assigned. |
| NORMAL (or N) | "Normal" service class is assigned. |
| LOW (or L) | "Low" service class is assigned. |
| SA: | IP source address or interval of addresses. |
| none | see table, x.x.x.x:y.y.y.y, *, 'list' |
It sets the IP address (interval of addresses) that the datagrams source address has to match (or be contained in) for satisfying the filter. The allowed IP addresses must have the decimal dot notation and be contained in the intervals defined in the following table:
| HEX: | 00000000 | 01000000 - 7EFFFFFF | 80000000 - DFFFFFFF |
|---|---|---|---|
| DDN: | 0.0.0.0 | 1.0.0.0 - 126.255.255.255 | 128.0.0.0 - 223.255.255.255 |
IP addresses of class D and E are not actually supported.
Couples of IP addresses are also supported in the decimal dot notation, if separated by the character ':' (colon), for example: 192.168.000.210:192.168.000.250.
The value "*" when used, means "any IP source address": any IP source address is, in this way, accepted.
The name of an Elements List of type IP or IR or RU or MR is also supported, if between primes, for example: 'My_List'.
| DA: | IP destination address or interval of addresses. |
| none | see table, x.x.x.x:y.y.y.y, *, 'list' |
It sets the IP address (IP interval of addresses) that the datagrams destination address has to match (or be contained in) for satisfying the filter. The allowed IP addresses must have the decimal dot notation and be contained in the intervals defined in the following table:
| HEX: | 00000000 | 01000000 - 7EFFFFFF | 80000000 - DFFFFFFF |
|---|---|---|---|
| DDN: | 0.0.0.0 | 1.0.0.0 - 126.255.255.255 | 128.0.0.0 - 223.255.255.255 |
IP addresses of class D and E are not actually supported.
Couples of IP addresses are also supported in the decimal dot notation, if separated by the character ':' (colon), for example: 192.168.000.210:192.168.000.250.
The value "*" when used, means "any IP destination address": any IP destination address is, in this way, accepted.
The name of an Elements List of type IP or IR or RU or MR is also supported, if between primes, for example: 'My_List'.
| PROT: | Internet protocol |
| none | 1 - 254 (or correspondent mnemonic), *, tcpudp, 'list' |
It sets the Internet protocol where the filter can be applied on.
The protocol can be specified through the mnemonic or the numeric value correspondent to it, for example: 6 or "tcp", 17 or "udp".
The value "*" means "any Internet protocol" and it allows accepting every Internet protocol.
The value "tcpudp" means "tcp and/or udp protocols" and it allows accepting both tcp and udp protocols.
The name of an Elements List of type IPT or RU or MR is also supported, if between primes, for example: 'My_List'.
| SPO: | Source port or interval of source ports (only for PROT:tcp/udp) |
| none | 1 - 65535 (or correspondent mnemonic), *, 'list' |
This parameter is used only for TCP and UDP protocols type. It sets the source port (interval of ports) that the datagrams source port has to match (or be contained in), for satisfying the filter.
Numerical values are allowed in the interval [1 - 65535], or for port from 1 up to 1024, the mnemonic of the service (TCP or UDP) associated to them: for example 23 or "telnet", 161 or "snmp".
Couples of numeric values are also accepted, if separated by the character ':' (colon), for example: 1:1024.
The value "*" when used, means "any port": it allows accepting any source TCP/UDP port.
The name of an Elements List of type TUP or RU or MR is also supported, if between primes, for example: 'My_List'.
| DPO: | Destination port or interval of destination ports (only for PROT:tcp/udp) |
| none | 1 - 65535 (or correspondent mnemonic), *, 'list' |
This parameter is used only for TCP and UDP protocols type. It sets the destination port (interval of ports) that the datagrams destination port has to match (or be contained in), for satisfying the filter.
Numerical values are allowed in the interval [1 - 65535], or for port from 1 up to 1024, the mnemonic of the service (TCP or UDP) associated to them: for example 23 or "telnet", 161 or "snmp".
Couples of numeric values are also accepted, if separated by the character ':' (colon), for example: 1:1024.
The value "*" when used, means "any port": it allows accepting any destination TCP/UDP port.
The name of an Elements List of type TUP or RU or MR is also supported, if between primes, for example: 'My_List'.
| PO: | Port or interval of source/destination ports. (only for PROT:tcp/udp) |
| none | 1 - 65535 (or correspondent mnemonic), *, 'list' |
This parameter is used only for TCP and UDP protocols type, in alternative to the parameters SPO: and DPO:. It sets the port value (or an interval of values) that the datagram source or destination port has to match (or be contained in) for satisfying the filter.
Numerical values are allowed in the interval [1 - 65535], or for port from 1 up to 1024, the mnemonic of the service (TCP or UDP) associated to them: for example 23 or "telnet", 161 or "snmp".
Couples of numeric values are also accepted, if separated by the character ':' (colon), for example: 1:1024.
The value "*" when used, means "any port": it allows accepting any destination or any source TCP/UDP port.
The name of an Elements List of type TUP or RU or MR is also supported, if between primes, for example: 'My_List'.
| SIPP: | IP port from where the datagram would come in |
| * | 0 - 63, INT, * |
It sets the IP port from where the datagrams have to come in for matching the filter.
The value "*" means "any IP port": it allows accepting any IP port.
The value "INT" means "internal IP port": it allows accepting datagrams coming from any internal IP port.
| DIPP: | IP port where the datagram would be routed to |
| * | 0 - 63, INT, * |
It sets the IP port where the datagrams have to be routed to for matching the filter.
The value "*" means "any IP port": it allows accepting any IP port.
The value "INT" means "internal IP port": it allows accepting datagrams routed to any internal IP port.
| CRDIR: | Activating the encryption/decryption of datagram matching the IP access list. |
| none | NONE, ENCRYPT, DECRYPT |
It specifies whether the datagrams, matching the filter, have to be routed transparently (value "NONE") or they have to be encrypted (value "ENCRYPT") or decrypted (value "DECRYPT").
| CRKEY: | Index of the cryptographic key (Only for CRDIR:ENCRYPT/DECRYPT) |
| DFT | DFT, 1 - 63 |
It defines the cryptographic key to be used for datagrams matching the filter.
User can choose to use the default cryptographic key ("CRKEY:DFT") provided by the system, or one of the keys defined in a proper table, by indicating its index ([1 - 63]). If the specified value is meaningless, i.e. the correspondent key is not present in the table, the "CRKEY:" parameter value will be shown inside square brackets. For example "CRKEY:[5]" means that no key, whose index is "5", is present in the table.
The content of the parameter "CRKEY:" is considered only if the parameter CRDIR: is not set to "NONE".
Print this page