Filter Exception: NDS and Time Synchronization (Formerly TID # 2941551)
Novell BorderManager 3.6
Novell BorderManager 3.5
Scenario: Two LAN segments separated by a BorderManager Server. One LAN segment (PRIVATE) is the production environment. The other segment (Training) is connected to a Training Room. Both segments have 4.11 servers and all servers are in the same tree. The Administrator wished to filter all IPX traffic between the two segment except for NDS and Time synchronization.
Solution: Load FILTCFG and create the following filters and exceptions in "Configure IPX Filters"
Outgoing SAP Filters:
Action: Deny Services in Filter List
Filters: List of Denied Services, then hit "Enter." Hit "Insert", type an asterisk in the Service Name field and hit Enter again. Then hit escape and save the filter. The filter should look like:
Service Name Service Type Destination
* FFFF ALL Interfaces
Exceptions: Create two exceptions as follows:
1) Enter on exceptions and hit the "Insert" button. Arrow down to the Service Name field and hit Insert. Select the service that has the correct tree name with a Service Type for 026B Time Synchronization and hit Enter. (NOTE: If this selection is not available, temporarily disable outgoing and incoming SAP filters so the SAPs can populate the table.) Arrow back up to the Service Name field and hit Enter, then backspace (erase ) all of the characters except the tree name. Add an asterisk to the end of the tree name, hit Enter, then Escape, and save the filter.
2) The second filter exception will be created them same way as the previous step, except select the service 0278 Directory Server. When finished, the Exceptions: Services Always Permitted screen should look like:
Service Name Service Type Destination Circuit
Tree-Name* 026B All Interfaces -
Tree-Name* 0278 All Interfaces -
Incoming SAP Filters:
Create the same filters and exceptions as defined in the Outgoing SAP Filters section.
Outgoing RIP and Incoming RIP Filters can be Disabled. If enabled, create filters that block RIP on the desired interface. RIP filters will not effect NDS / TIME synchronization.
NetBIOS and Packet Forwarding Filters:
NetBIOS Broadcast Filters:
Action: Deny NetBIOS Packet on Listed Interfaces
interfaces: Leave List of Denied Interfaces empty
Packet Forwarding Filters:
Action: Deny Packets in Filter List
Filters: Enter on "List of Denied Packets" and create two exceptions:
1) Source Interface: All Interfaces
Destination Interface: Enter on All Interfaces and select the interface on the Production side
Hit escape and save this filter.
2) Source Interface: Enter on All Interfaces and select the interface on the Production side
Hit escape and save this filter.
The Packets Denied screen should now look like:
Source Circuit Packet Type Destination
All Interfaces - ANY Production Interface
Production Interface - ANY All Interfaces
The final step is to create filter exceptions that allow each server to communicate with other servers. This is accomplished by creating filter exceptions that allow all packet types through as long as they have a source address of a server. The source address of a server will consist of the IPX Internal network number and the Node address. (Type CONFIG at the server's console. The second and third line contain this information.)
Steps to create each exception:
Enter on the Exceptions field in NetBIOS and Packet Forwarding Filters. Hit insert and arrow down to the Source Address Field. Select Node and hit Enter. Enter the IPX Internal Network Number for a server in the Network Number field. Change the Network Mask to FFFFFFFF. Change the Node Number to 000000000001 (with a Node Mask of FFFFFFFFFFFF. Note: Hit the F1 key for Help on how to use Masks. The use of an appropriate mask could save some work here. Hit escape and save the filter.
When finished, the Exceptions: Packets Always Permitted screen should contain a filter exception for each server / network exception that was created that looks like:
Source Circuit Packet Type Destination Circuit
All Interfaces - Any All Interfaces -
If you enter on a filter, the Source IPX Address field should look something like: