Filter Exception: NDS and Time Synchronization (Formerly TID # 2941551)

  • 10064403
  • NOVL56599
  • 23-Aug-2001
  • 22-Aug-2002


Filter Exception: NDS and Time Synchronization  (Formerly TID # 2941551)


Novell BorderManager 3.6

Novell BorderManager 3.5


Scenario: Two LAN segments separated by a BorderManager Server. One LAN segment (PRIVATE) is the production environment. The other segment (Training) is connected to a Training Room. Both segments have 4.11 servers and all servers are in the same tree. The Administrator wished to filter all IPX traffic between the two segment except for NDS and Time synchronization.


Solution: Load FILTCFG and create the following filters and exceptions in "Configure IPX Filters"

Outgoing SAP Filters:
        Status:        Enabled
        Action:        Deny Services in Filter List
        Filters:        List of Denied Services, then hit "Enter." Hit "Insert", type an asterisk in the Service Name field and hit Enter again. Then hit escape and save the filter. The filter should look like:

        Service Name Service Type Destination
        * FFFF ALL Interfaces

Exceptions: Create two exceptions as follows:
        1) Enter on exceptions and hit the "Insert" button. Arrow down to the Service Name field and hit Insert. Select the service that has the correct tree name with a Service Type for 026B Time Synchronization and hit Enter. (NOTE: If this selection is not available, temporarily disable outgoing and incoming  SAP filters so the SAPs can populate the table.) Arrow back up to the Service Name field and hit Enter, then backspace (erase ) all of the characters except the tree name. Add an asterisk to the end of the tree   name, hit Enter, then Escape, and save the filter.

        2) The second filter exception will be created them same way as the previous step, except select the service 0278 Directory Server. When finished, the Exceptions: Services Always Permitted screen should look like:

                Service Name Service Type Destination Circuit
                Tree-Name* 026B All Interfaces -
                Tree-Name* 0278 All Interfaces -

Incoming SAP Filters:
        Create the same filters and exceptions as defined in the Outgoing SAP                 Filters section.

        Outgoing RIP and Incoming RIP Filters can be Disabled. If enabled, create                 filters that block RIP on the desired interface. RIP filters will not effect NDS /         TIME synchronization.

NetBIOS and Packet Forwarding Filters:
        Status: Enabled
        NetBIOS Broadcast Filters:
        Action: Deny NetBIOS Packet on Listed Interfaces
        interfaces: Leave List of Denied Interfaces empty

Packet Forwarding Filters:
        Action: Deny Packets in Filter List
        Filters: Enter on "List of Denied Packets" and create two exceptions:

        1) Source Interface: All Interfaces
        Destination Interface: Enter on All Interfaces and select the interface on the         Production side
           Hit escape and save this filter.

       2) Source Interface: Enter on All Interfaces and select the interface on the                 Production side
           Hit escape and save this filter.

        The Packets Denied screen should now look like:

        Source Circuit Packet Type Destination
        All Interfaces - ANY Production Interface
        Production Interface - ANY All Interfaces

        The final step is to create filter exceptions that allow each server to                 communicate with other servers. This is accomplished by creating filter                 exceptions that allow all packet types through as long as they have a source         address of a server. The source address of a server will consist of the IPX                 Internal network number and the Node address. (Type CONFIG at the                 server's console. The second and third line contain this information.)

Steps to create each exception:
        Enter on the Exceptions field in NetBIOS and Packet Forwarding Filters. Hit         insert and arrow down to the Source Address Field. Select Node and hit                 Enter. Enter the IPX Internal Network Number for a server in the Network                 Number field. Change the Network Mask to FFFFFFFF. Change the Node                 Number to 000000000001 (with a Node Mask of FFFFFFFFFFFF. Note: Hit         the F1 key for Help on how to use Masks. The use of an appropriate mask         could save some work here. Hit escape and save the filter.

        When finished, the Exceptions: Packets Always Permitted screen should                 contain a filter exception for each server / network exception that was                 created that looks like:

                Source Circuit Packet Type Destination Circuit
                All Interfaces - Any All Interfaces -

        If you enter on a filter, the Source IPX Address field should look something         like: