SLC8000 - configuring and testing IP Filter Rulesets

Owned by Jane
Last updated: May 22, 2020 by Subbu SeetharamanVersion comment
2 min read

How can I allow one or a few hosts to communicate with an SLC8000 while blocking all others?

To allow some hosts to connect to an SLC8000 while blocking all others use one or more IP Filters

When testing IP Filter Rulesets it is helpful to set a relatively short Test Timer so that if you accidentally lock yourself out you just have to wait for the test to time out.

Once you're sure everything's working the way you want,enable IP Filters with no test timer.

0.0.0/0;All;;Drop is the "drop all" rule.

So if you set up a ruleset named "Drop-All" it will look like this:

Then map that ruleset to Ethernet 1:

The pings from a host at 172.20.192.101 and another host at 172.18.11.114 are both blocked when you click Apply:

Click on the image above to display it full sized.

However, you usually want to allow one or a few hosts to log in. In that case set up a ruleset similar to the one below, named 'Deny-all-but-1'.

This ruleset allows one host to communicate, but nothing else. It looks like this:

Delete the mapping to the "Drop-all" ruleset and map "Deny-all-but-1" to Ethernet 1:

Now when you hit apply only "non-allowed host stops getting ping responses:

Click on the image above to display it full sized.

Notes:

If you edit a ruleset you need to delete the mapping to the Ethernet port, then re-map it or the change will not take effect.

The '0.0.0/0;All;;Drop' rule must always be the last rule in the list.

Each rule will be tested and the first one that matches will run. The rest will be ignored.

It's best to put the most specific rules first, e.g. '172.20.192.101/32;All;;Accept, then more general rules, e.g. '172.18.0.0/16;All;;Accept' to accept connections from the entire 172.18 subnet, etc.

All "Accept" rules should be before any "Drop" or "Deny" rules.

"Drop" silently drops the incoming packet, "Deny" responds with a RST.

For security we prefer "Drop". If the SLC responds with a RST packet an attacker will then know there is a host at that IP address that they may be able to break into or try to perform a DDNS attack on.

The CLI commands for IP Filter are listed on page 71 of the current Lantronix SLC 8000 – User Guide.

Documentation is available through the SLC8000 Docs and Firmware link on the Product Index page, available from the Products & Services page of the Lantronix web site:
https://www.lantronix.com/



[Originally Published On: 12/12/2016 03:55 PM]

Report a new issue