Page 34 - index
P. 34
Filtering by UDP & TCP Port
To stop accesses to all UDP & TCP ports, except those we find acceptable, one would simply
craft another filter. The easiest way would be to first reject all port requests, then
accept all requests for what this server should doing. Here is an example of how this might be
done for a web server that should ONLY be responding to port 80 requests on the production
interface:
set_max_channels 2
set_default_action reject
set_max_objects 5
set_max_miniaddrs 5
start_code
accept:
load 1 r0
stop
reject:
load 0 r0
stop
start_only_http:
test_ip4
jmp_if_not reject
test_tcp4 first_frag
jmp_if_not accept
load_ip4_dport r2
test_eq r2 80
jmp_if accept
load_ip4_sport r2
test_eq r2 80
jmp_if accept
jmp reject
stop
end_code
Creating a Multi-stage Filter Pipeline
In many cloud environments, data center managers need to separate and isolate traffic at each
virtualized server. They need more flexibility than that allowed by the dedicated firewalls at the
periphery of the network, the access control lists available on the network switches, or other
expensive dedicated security appliances. Solarflare currently has customers using the
SolarSecureā¢ Filter Engine in VMware environments. The above examples work just as well in
VMware ESXi multi-tenant cloud environments that need to separate and isolate traffic by
service type and customer. Customers can now implement these security functions natively in
the host, and make security decisions lower in the stack offloading the host for greater
performance, efficiency and enhanced security. Recently a large cloud provider using 10GbE
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
