May 25 2004

The example below limits all SMTP (port 25) traffic except to the host x.x.x.x

1. [Ascend] Data-Filter = "ip in forward dstip x.x.x.x/32 tcp dstport = 25"
2. [Ascend] Data-Filter = "ip in drop tcp dstport = 25"
3. [Ascend] Data-Filter = "ip in forward"

1. Allows a specific IP address to access port 25 (SMTP).
2. Denys all traffic destined for tcp port 25 (SMTP).
3. Default access rule, used when none of the previous have matched, allows access on all other ports/protocols/addresses.

Data filters are order dependant and stop processing on the first match, for example using the example above when the client opens an SMTP session to server x.x.x.x the first line of the filter is looked at and any and all rules after it are ignored. If you were to put a data filter attribute containing "ip in drop tcp dstport = 25" before "ip in forward dstip x.x.x.x/32 tcp dstport = 25" all SMTP traffic including that destined for x.x.x.x will be ignored.

There are two Ascend data filter attributes, one is attribute 242 in the standard vendor space (VendorID=0) and the other is attribute 242 in the Ascend vendor space (VendorID=529). We recommend using the data filter attribute in the Ascend vendor space when possible.