BorderManager Filters and Filter Exceptions
Articles and Tips: article
01 Mar 2002
Taken from Technical Information Documents #10018659, #10013153,
#2936463, and #10016823
The Packet Filter Troubleshooting and Solutions Guide
If you are having problems with packet filtering, go to the Novell Support Web site and look up TID #10018659. Last modified 15 May, 2001, and entitled "Packet Filter Troubleshooting and Solutions Guide," this TID deals with packet filtering and Novell BorderManager 3.0.
You may be having packet filtering problems the following services are failing through a firewall:
IP services
Domain Name Services (DNS)
POP3
SMTP
HTTP
FTP
The "Packet Filter Troubleshooting and Solutions Guide" document provides some debugging, functionality and tuning guidelines that may be used to address packet filtering issues within BorderManager. The document contains the following information:
Packet Filter SET commands
IPFLT31 debug commands
How to collect information for Technical Support
Filter Processing algorithm
You can go directly to this TID at: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10018659.htm
How to Put BorderManager Default Filters Back in Place
According to TID #10013153, the steps to resetting BorderManager filters back to their default settings are as follows:
Unload IPFLT, IPXFLT, and FILTSRV NLMs at the server console.
Disable filter support in INETCFG/PROTOCOLS/TCPIP and IPX.
Rename the SYS:ETC/FILTERS.CFG.
Reinitialize system.
Load BRDCFG.NLM.
Say NO to launch INETCFG.NLM.
Select Set Filters on the Public interface.
Select the PUBLIC interface and press Enter on Continue.
Press ENTER when prompted to acknowledge both IP and IPX filter placement success.
Press ESCAPE to leave the BRDCFG.NLM. The system will reinitialize automatically.
This information was last modified 31 July, 2001 (as of this writing).
Filter Exceptions for IPX Login Across BorderManager
After applying the default filters during the BorderManager installation (or through the process described above), workstations on the private network may no longer be able to login to server(s) on the public network. However, when either IPX filtering is disabled or when IPXFLT.NLM is unloaded, workstations on the private side are now able to successfully login to the server(s) on the public network.
The default IPX filters that are applied during installation of BorderManager block all RIP and SAP on the public interface. They also block all packets from being routed to or from the public interface.
If IPX filtering is desired, then complete the following steps to create filter exceptions that will allow you to login to specific servers on the public network. These filters exceptions will all be created in FILTCFG. For more basic information about creating filters in FILTCFG, see what the Novell Documentation search on the term "filter" has to offer. Also see the "Packet Filter Troubleshooting and Solutions Guide," TID #10018659.
Note: It is easiest to create SAP filter exceptions with filtering DISABLED. That way, you can select the SAPs from the server's SAP table instead of having to remember the SAP type or the service name. For ease of explanation, it is assumed that the private and public interfaces are named PRIVATE and PUBLIC, respectively.
For each server that will be accessed from the private network to the public network, create the following four filter exceptions:
Incoming SAP Filters, Exceptions, <INS>, Service Name:, <INS>. A SAP list will appear (assuming the IPXFLT NLM is not currently loaded). Select the SAP with the server's name and SAP type of 0004. If you also need to access that server through the RCONSOLE utility, also select SAP type 0107.
Note: SAP type 0107 will only appear as a selection for a server if the REMOTE.NLM is currently running on that server.
Save that filter exception.
Incoming RIP Filters, Exceptions, <INS>. In the Network Number field, enter the INTERNAL IPX NETWORK NUMBER of the destination server. The internal IPX network number can be seen by typing CONFIG <Enter> at the system console of that server.
Save that filter exception.
At the NetBIOS and Packet Forwarding Filters, Exceptions, press <INS>. Fill in the fields with the following information:
Source Interface: PRIVATE
Destination Interface: PUBLIC
Packet Information:
Destination Address Type: NETWORK
Destination IPX Address: "internal IPX network number of destination server"/FFFFFFFF
Comment: Exception to allow login to <servername>.
At the NetBIOS and Packet Forwarding Filters, Exceptions, press <Ins>. Fill in the fields with the following information:
Source Interface: PUBLIC
Destination Interface: PRIVATE
Packet Information:
Source Address Type: NETWORK
Source IPX Address: "internal IPX network number of destination server"/FFFFFFFF
Comment: Exception to allow login to <servername>.
These filter exceptions have been tested for login to both NetWare 3.12 and NetWare 4.1x servers.
This information was taken from TID #2936463 and was last modified 10 July, 2001 (as of this writing).
Filter Exceptions for Lotus Notes
To create filter exceptions for Lotus Notes on a server running BorderManager, perform the following steps:
Load the FILTCFG utility. Select Configure TCPIP Filters | Packet Forwarding Filters | Exceptions entries, then press <Ins>.
Source Interface = Private NIC with Destination Interface=Public NIC
Select the Packet Type option, press <Enter> then <Ins>. Name it something like Lotus Notes-ST | Protocol=TCP | Source Port=1024-65535 | Destination Port 1352 | Enable Stateful Filters. Press <Esc> then Save | <Enter>.
For Destination Address, select Network or Host (depending on your configuration), then put in the appropriate Network Address and Mask.
Press <Esc> then Save, adding the custom filter exception into the filter exception list.
Unload IPFLT, IPXFLT, FILTSRV NLMs, then reinitialize the server. Test to see if you have the results you desired.
This information was taken from TID #10016823 and was last modified 10 September, 2001 (as of this writing).
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.