An IP filter policy can stand alone to provide IP filtering and IPSec protection with manual key management. Used in conjunction with the two other policies, it is also required to provide IPSec protection with dynamic key management (IKE). Because filtering is crucial to secure traffic on a host, an IP security policy that contains no IpFilterPolicy statement block or an empty IpFilterPolicy statement block is considered an error, leaving the default policy that is provided by the stack in effect.
The IpFilterPolicy statement block consists of:
The purpose of the global configuration options is to control global policy items, such as whether logging is active or whether on-demand Security Association negotiations are allowed, and so forth. These global options apply to all of the IP filter rules that are contained in the policy. Each IP filter rule, in turn, contains data endpoints, traffic descriptions, and actions. When a packet entering or leaving the system matches the data endpoints and traffic description in an IP filter rule, the associated action is taken. If the action is an ipsec action, additional action statements are coded that define the parameters of the IPSec Security Association.
The following sample IpFilterRule statement allows web traffic on an internal server, and references a description of each line in the sample:
1 IpFilterRule InternalNetWeb
2 {
3 IpSourceAddr 9.1.1.1
4 IpDestAddrSet 9.1.1.0/24
5 IpService
6 {
7 SourcePortRange 80
8 DestinationPortRange 1024 65535
9 Protocol tcp
10 Direction bidirectional InboundConnect
11 Routing local
12 SecurityClass 0
13 }
14 IpGenericFilterActionRef permit-nolog
15 }
Bidirectional indicates that this rule allows outbound traffic from local address 9.1.1.1 on local port 80 to any address in subnet 9.1.1.0/24 using any ephemeral port (that is, 1024-65535), and inbound traffic from any address in subnet 9.1.1.0/24 using any ephemeral port to local address 9.1.1.1 on local port 80. Without the use of the bidirectional keyword, it would be necessary to create two filter rules, one for outbound traffic and one for inbound traffic.
InboundConnect indicates that the rule will match inbound TCP connection attempts as well as bidirectional data on an established connection, but it will not match outbound TCP connection attempts.
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}