User manual

Chapter 4 - Layer 3 Command Set - IP Networking Ipfw Command (IP Firewall)

Alvarion BreezeNET B130/B300 GigE 180 Operational User Manual

The filter is applied to all packet's fragments excluding the first one. Offset field

has non-zero value. More fragments field value is of no importance.

 ip_option

The filter is applied to the IP-packets which have any IP-options set (excluding

NO-OP option)

 ip_recroute_option

The filter is applied only to those IP-packets which have either record-route or

timestampIP options set without any other options. These options can be set by

violators to build your network map. No other threat is possible here.

 ip_misc_option

This filter is applied only to the packets which have one or more IP-options but

record-route, timestempIP or NO-OP. Many of IP-options of MISC group are used

by the violators to avoid filters in order to enter the network.

There are several additional rules for the modifiers field:

1 tcp_connection value can be used only when the proto field has tcp value

2 If more than one option among ip_fragment, ip_head_fragment or

ip_tail_fragment is used, than the latter ones will cancel the action the former

ones.

3 If more than one option among ip_option, ip_recroute_option or

ip_misc_option is used, than the latter ones will cancel the action the former

ones. The packet must fulfill all options set, otherwise it will go through the

filter.

Parameter -f allows using "pcap" filters.

Example:

ipfw add reject -f "icmp and host (1.1.1.1 or 1.1.1.5)"

4.9.4 Examples of Packets Filtering

Hereafter some examples are given of how to use the ipfw command in different

cases.

Simple examples: