Unicast IP Routing
Unicast IP Routing |
|
Windows 2000 IP packet filtering is based on exceptions. You can configure Windows 2000 to either pass all traffic except those disallowed by filters or to discard all traffic except those allowed by filters. For example, you might want to configure a filter to allow all traffic except Telnet traffic (TCP port 23). Or you might want to set up filters on a dedicated Web server to process only Web-based TCP traffic (TCP port 80).
Note
The Windows 2000 Router does not allow the use of user-definable filters where a network administrator can create a filter based on any field of the IP, TCP, UDP or ICMP header. The Windows 2000 Router does not support filtering on any protocols other than IP, TCP, UDP, and ICMP.
Windows 2000 allows filtering on various fields in IP, TCP, UDP, and ICMP headers of incoming and outgoing packets.
In the IP header, filters can be defined for the following fields:
IP Protocol An identifier used to demultiplex the payload of an IP packet to an upper layer protocol. For example, TCP uses a Protocol of 6, UDP uses a Protocol of 17, and ICMP uses a Protocol of 1. When you select a protocol such as TCP, UDP, or ICMP in the IP Filters dialog box, the default values for those protocols are assumed. Windows 2000 allows you to type any value in the IP Protocol text box.
Source IP Address The IP address of the source host, which can be configured with a subnet mask, allowing an entire range of IP addresses (corresponding to an IP network) to be specified with a single filter entry.
Destination IP Address The IP address of the destination host which can be configured with a subnet mask, allowing an entire range of IP addresses (corresponding to an IP network) to be specified with a single filter entry.
In the TCP header, filters can be defined for two fields: the TCP Source Port field, used to identify the source process which is sending the TCP segment; and for the TCP Destination Port, used to identify the destination process for the TCP segment.
Note
The Windows 2000 Router does not support the configuration of a range of TCP ports. For a range of TCP ports, a separate filter for each port in the range must be configured.
In the UDP header, filters can be defined for two fields: the UDP Source Port field, used to identify the source process which is sending the UDP message; and for the UDP Destination Port, used to identify the destination process for the UDP message.
Note
The Windows 2000 Router does not support the configuration of a range of UDP ports. For a range of UDP ports, a separate filter for each port in the range must be configured.
In the ICMP header, filters can be defined for two fields: the ICMP Type field, indicating the type of ICMP packet (such as Echo Request or Echo Reply); and for the ICMP Code field, indicating one of the possible multiple functions within a specified type. If there is only one function within a type, the Code field is set to 0.
Table 3.6 lists commonly used ICMP types and codes.
Table 3.6 Common ICMP Types and Codes
| ICMP Type | ICMP Code | Use |
|---|---|---|
| 0 | 0 | Echo Reply |
| 8 | 0 | Echo Request |
| 3 | 0 | Destination Unreachable - Network Unreachable |
| 3 | 1 | Destination Unreachable - Host Unreachable |
| 3 | 2 | Destination Unreachable - Protocol Unreachable |
| 3 | 3 | Destination Unreachable - Port Unreachable |
| 3 | 4 | Destination Unreachable - Fragmentation Needed and Don't Fragment Flag set |
| 4 | 0 | Source Quench |
| 5 | 1 | Redirect - Redirected datagrams for the host |
| 9 | 0 | Router Advertisement |
| 10 | 0 | Router Solicitation |
| 11 | 0 | Time Exceeded - TTL expiration |
| 11 | 1 | Time Exceeded - Fragmentation Reassembly expiration |
| 12 | 0 | Parameter Problem |
Note
For a complete list of ICMP types and codes, see the link at http://windows.microsoft.com/windows2000/reskit/webresources.