Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

211

212

213

214

215

216

217

218

219

220

| integer; default: any) - specifies a match to the value of Type of Service (ToS) field of IP header:

• any - match any packet (i.e., do not check this property)

Notes

Keep in mind, that protocol must be explicity specified, if you want to select port.

Example

For instance, we want to reject packets with dst-port=8080:

[admin@Wandy] ip firewall rule input> add dst-port=8080 protocol=tcp action=reject

[admin@Wandy] ip firewall rule input> print

Flags: X - disabled, I - invalid

0 src-address=0.0.0.0/0:0-65535 in-interface=all

dst-address=0.0.0.0/0:8080 out-interface=all protocol=tcp

icmp-options=any:any tcp-options=any connection-state=any flow=""

sconnection="" content="" rc-mac-address=00:00:00:00:00:00 limit-count=0

limit-burst=0 limit-time=0s action=reject log=no

[admin@Wandy] ip firewall rule input>

Firewall Chains

ip firewall

Description

The firewall filtering rules are grouped together in chains. It allows a packets to be matched against

one common criterion in one chain, and then passed over for processing against some other

common criteria to another chain. Let us assume that, for example, packets must be matched against

the IP addresses and ports. Then matching against the IP addresses can be done in one chain

without specifying the protocol ports. Matching against the protocol ports can be done in a separate

chain without specifying the IP addresses.

There are three predefined chains, which cannot be deleted:

• The chain input is used to process packets entering the router through one of the interfaces

with the destination of the router. Packets passing through the router are not processed against

the rules of the input chain.

• The chain forward is used to process packets passing through the router.

• The chain output is used to process packets originated from the router and leaving it through

one of the interfaces. Packets passing through the router are not processed against the rules of

the output chain.

When processing a chain, rules are taken from the chain in the order they are listed there from top to

bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and

no more rules are processed in that chain. If the packet has not matched any rule within the chain,

then the default policy action of the chain is performed.

Available default policy actions include:

• accept - accept the packet

• drop - silently drop the packet (without sending the ICMP reject message)

• none - not applicable

Usually packets should be matched against several criteria. More general filtering rules can be

grouped together in a separate chain. To process the rules of additional chains, the jump action