Gustavo Vegas <titan!gustavo @
In the context of Internet screening routers,
> How About Netblazers?
My biggest concern about NetBlazers is that at present they cannot be configured
to block IP source routed packets. Since so many other security tools use IP
addresses for authentication (no flame please), I regard this lack as critical.
The NetBlazer does have packet filtering on incomming as well as
outgong packets, based on interface, source address, destination address,
protocol, and destination port.
Addresses in filter specifications can be specified with Don'tCare bits to the
right (they specify the relevant address length in bits, not a mask).
They also have a wealth of operators for combining port specifications.
The router keeps all filter specifications in a single list,
but it can be viewed by interface specification.
As filter statements are added they go at the top (highest precedence)
of the list (the opposite of Cisco) except for the default specification,
which is at the end if present. I think incoming filters take precedence.
A filter lookup command is available for testing the effect of the filter set
on a packet with specified parameters.