Ubigate iBG2016 Configuration Guide© SAMSUNG Electronics Co., Ltd. 229CHAPTER 2. Packet FilteringUbigate iBG2016s can be configured for MAC and IP traffic filteringcapabilities. IP traffic filtering allows creation of rule sets that selectivelyblock TCP/IP packets on a specified interface. Filters are appliedindependently to all interfaces: Ethernet, serial, or WAN, as well asindependently to interface direction: IN(packets coming in to the UbigateiBG2016) or OUT(packets going out of the Ubigate iBG2016).IP packet filtering capability can be used to restrict access to the UbigateiBG2016 from untrusted, external networks or from specific, internalnetworks. An example would be a filter that prohibits external users fromestablishing Telnet sessions to the Ubigate iBG2016, and allows only specificinternal users Telnet access to the system.y At the end of every rule list is an implied ‘deny all traffic’ statement.Therefore, all packets not explicitly permitted by filtering rules, are denied.This effectively means that once you enter a ‘deny’ statement in your filterlist, you are implicitly denying all packets from crossing the interface.Therefore, it is important that each filter list contain at least one ‘permit’statement.y The order in which you enter the filtering rules is important. As the UbigateiBG2016 is evaluating each packet, the SNOS tests the packet against eachrule statement sequentially. After a match is found, no more rule statementsare checked. For example, if you create a rule statement that explicitlypermits all traffic, all traffic is passed since no further rules are checked.y The SNOS permits easy re-ordering of filter commands through access-listinsert and delete commands.
