IP filtering is a mechanism for determining which IP packet data types will be processed properly and which can be discarded. By “discarded,” we imply that the datagram is erased and processed as if it never happened. You can use a variety of different parameters to choose the packets of data to filter; some examples are as follows:
- Protocol variants comprise TCP, UDP, and ICMP.
- TCP/UPD connection number.
- Data packets types include SYN/ACK, data, and ICMP Echo Request.
- The source address of the data packet: where it originated.
- Datagram destination address: the origin of the datagram
It is essential to understand that IP filtering is a network layer feature. This indicates that it is ignorant of the program that makes use of the connectivity, only of the connections themselves. For instance, you can deny users access to your internal network via the default telnet port, but relying solely on Internet Protocol filtering will not prevent them from using the telnet software with a port that your firewall does allow.
This type of problem can be avoided by using proxy servers for each service that is allowed via your firewall. Proxy servers comprehend the application for which they were created and can thus avoid abuses such as utilizing the telnet program to bypass a firewall via the World Wide Web port.
If your firewall supports a Web proxy, their telnet connection will always be replied to by the proxy, and only HTTP requests will be allowed to pass. There is numerous proxy-server program available. Several are freeware, while others are commercial items. Although the Firewall-HOWTO describes one of them, they are beyond the scope of this guide.
The IP filtering ruleset is composed of numerous combinations of the previously specified criteria. For instance, suppose you wish to deny World Wide Web users within the Virtual network access to the Internet except to view the web servers of other sites. You would set up your firewall to permit the forwarding of the following:
- Datagrams with a source address on the Virtual network, a destination address of any location, and an 80-destination port.
- Datagrams from any source address with a destination address on the Virtual network and a source port of 80.
Take note that we utilized two rules in this case. We must permit not only the transmission of our data but also the receipt of the matching response data. As we will see momentarily, Only Linux rather Windows, Android or mac OS simplifies this and allows us to express this in a single command.
Frequently Used IP Filtering Techniques
Filtering by the Firewall
A firewall is a hardware device, a group of hardware devices, or a software application that is used to allow or prohibit network transmissions depending on a set of rules to secure networks from unwanted access while allowing legitimate traffic to flow.
Numerous routers that connect networks have firewall components, and many firewalls, in turn, can perform basic routing duties. The various types of firewalls can be defined according to the location of the communication, the location of the intercepted communication, and the state being tracked.
- The IP packet filter function at the IP protocol level, blocking packets that do not meet the established rule set defined by the administrator or implemented by default. Modern firewalls are capable of filtering traffic based on a variety of packet attributes.
It includes the source IP address, the source port, the destination IP address or port, and the destination service, such as the WWW or FTP. They can filter depending on protocols, TTL values, the originator’s or source’s netblock, and a variety of other properties.- Application layer firewalls operate at the TCP/IP stack’s application level, intercepting all packets traveling to or from an application and preventing undesirable outside traffic from reaching protected workstations without acknowledging the sender.
Additional inspection criteria can result in increased latency when packets are forwarded to their destination.- Mandatory access control (MAC) filtering or sandboxing protects vulnerable services by granting or denying access based on the MAC address of certain devices permitted to connect to a particular network.
- Proxy servers or services can be implemented as dedicated hardware components or as applications on the broad sense computer, reacting to input data such as requests of the connection while rejecting other packets.
Abuse of an internal system does not always result in a security breach, however, techniques such as IP spoofing can be used to send packets to a target network.- The network address translation (NAT) feature enables the concealment of protected devices’ IP addresses by assigning them addresses in the RFC 1918-defined “private address range.” This feature protects against network reconnaissance.
Firewall filtering must be adjusted continually to reflect the most recent security policies, threat situations, and address holdings. Outdated rules such as banning IPv6 by default, blocking specific IP addresses that send malicious traffic, or blocking an entire network/ISP/Country may need to be reassessed periodically to ensure overall network visibility does not deteriorate as more and more traffic is discarded mistakenly.
Filtering of Routes
Certain routes are either not considered for inclusion in the local route database or are not announced as a result of this process. Filters can be applied at the router level, either before routes are broadcast or immediately after a route is learned. Filtering can be justified for a variety of reasons:
- To prevent the use of private address space from leaking into the global Internet, networks’ output and input filtering should prohibit these prefixes.
- When a site is multihomed, displaying non-local routes to a neighbor other than the one from whom the information was obtained amounts to advertising the site’s willingness to act as a transit stop.
This is unfavorable until and until appropriate agreements are in place. This issue can be avoided by implementing output filtering to certain routes.- Typically, an ISP will filter the routes acquired from a client’s network to limit them to the addresses allotted to that customer. This increases the difficulty of addressing hijacking. Similarly, an ISP will filter input on routes learned from other ISPs to safeguard its customers’ addresses against address hijacking.
In some circumstances, routers do not have enough main RAM to store the entire global BGP table. By limiting the local route database to a subset of the global table via input filtering on prefix length, AS count, or a combination of the two, the local route database is limited to a subset of the global table.
This behavior is not encouraged, as it may result in suboptimal routing or even communication failures with tiny networks, frustrating the efforts of one’s peers to optimize traffic engineering.
Historically, route filtering was also used to prevent IANA from delegating IPv4 blocks that were not yet assigned by IANA, a practice known as bogon address space. This method is no longer necessary, as IANA’s available IPv4 address space has been exhausted.
Certain networks have begun banning IPv4 prefixes that are currently being held by Regional Internet Registries (RIRs) but have not yet been allocated to any network.
Due to the daily delegation of resources by RIRs, this approach necessitates a daily change to the route filter. Unless a network has an automated and trustworthy technique for checking the RIR databases, this level of route filtering should be avoided.
Filtering of Email
Email filtering is the process of manually or automatically sorting incoming emails according to predefined criteria and removing spam and computer viruses. The filters enable the delivery of clear messages to the user’s mailbox while sending tainted communications to a quarantine application for inspection or perhaps deletion.
Certain mail filters can change messages while they are being processed, such as disabling hyperlinks in emails to stop an attack as user taps. Although less prevalent, some businesses examine outgoing emails to ensure that their staff is abiding by applicable laws.
Email filters work by matching a regular expression, a keyword, or the sender’s email address. Advanced systems block messages from reaching protected mailboxes by utilizing statistical document classification techniques, IP reputation, and complicated picture analysis algorithms.
When a blacklisted IP address is relocated to a different network, email filtering becomes problematic. The new network’s mail traffic from the blacklisted IP address may be stopped, and the new network will need to contact multiple blacklist maintainers to have the address delisted.
As long as the transfer was properly registered in the APNIC Whois, APNIC would be able to help by verifying to the obstructing entities.
How to Configure an Internet Protocol (IP) Filter
This section is worth a lot for webmasters or website owners, it will walk you through the process of adding an IP filter to Analytics. IP filters are built to allow for the filtering of specific IP traffic. The IP filter can therefore be used in conjunction with or instead of the analytics reports when viewing online statistics.
Before constructing IP filters, you must first build an IP group to which the filter can be applied. The following is a step-by-step method for adding an IP filter to Analytics.
- From the main menu, select Analytics.
- From the sidebar menu, select Analytics Settings.
- From the drop-down menu, select Filters
- Select the New filter option.
- Give your filter a name. “Own IP Traffic” has been created in this instance.
- Select the filter’s access level. If shared, the filter will be available to all users on your Siteimprove account. Private filters are invisible to anyone except the user who created them.
- It is always a good idea to include a note describing the filter’s purpose.
- Select the Add filter element option.
- Choose an IP address.
- If you previously formed an IP group, choose it from the list.
- Select whether to activate or deactivate the filter. Active is the default setting. When a filter is deactivated, it is removed from the list of filters available in the Analytics module.
- Select whether to include or omit the specified IP group from the filter. By default, just show is selected.
- Conduct a filter test. Testing may take some time due to the filter’s retroactive checking of data.
- To complete the filter setup, click the green Create filter button.
Please ensure that you establish communication with your IT department so that you are kept informed whenever your firm acquires any additional IP addresses. In this manner, you can always change your IP groups to include the new IPs and ensure the accuracy of your analytics data.
Frequently Asked Questions
How do I configure my IP filtering?
What is the difference between a firewall and IP filtering?
What is the purpose of IP filtering?
Conclusion
Because IP filtering is such a broad topic, we’ve done our best to cover everything you need to know. Upon completion of this topic, we are confident that the reader will have acquired the necessary background information.