IP filtering

The IP filtering component of packet rules enables you to control what IP traffic you want to allow into and out of your company's network.

Use IP filtering to help protect your system by filtering packets according to the rules that you specify.

You can apply filter rules to multiple lines or you can apply different rules to each line. Filter rules are associated with lines; for example, token ring (trnline), not logical interfaces or IP addresses. The system checks each packet against each rule that you associate with a line. The rules are checked in a sequential process. After the system matches the packet to a rule, it stops the process and applies the matching rule.

When your system applies a matching rule, it actually performs the action that is specified by that rule.

  • PERMIT — allows the packet to process as usual
  • DENY — immediately discards the packet
  • IPSEC — sends the packet through a virtual private network (VPN) connection, which you specify in the filter rule
Note: In this case, IP security protocol (IPSec) is an action that you can define in your filter rules. Even though this topic does not cover IPSec specifically, it is important to note that filtering and virtual private networking (VPN) are closely related.

After you apply a rule, the system continues its sequential comparison of rules and packets and assigns actions to all corresponding rules. If the system is unable to find a matching rule for a particular packet, the system automatically discards that packet. The system's default deny rule ensures that the system automatically discards any packet that is not matched to a filter rule. Note that if a filter rule is designed to permit traffic in only one direction, such as inbound or outbound, the system implements the default deny rule in both directions; that is, both inbound and outbound packets are discarded.