User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

471

472

473

474

475

476

477

478

479

480

471

FIREWALL SCRIPTS

Introduction

A “firewall” is a protection system designed to prevent access to your local area network by

unauthorised “external” parties, i.e. other users of the internet or another wide area

network. It may also limit the degree of access local users have to external network

resources. A firewall does not provide a complete security solution; it provides only one

element of a fully secure system. Consideration should also be given to the use of user

authentication and data encryption. Refer to the IPSec section for further information.

In simple terms, a firewall is a packet filtering system that allows or prevents the

transmission of data (in either direction) based on a set of rules. These rules can allow

filtering based on the following criteria:

• source and destination IP addresses

• source and destination IP port or port ranges

• type of protocol in use

• direction of the data (in or out)

• interface type

• the eroute the packet is on

• if an interface is OOS (out of service)

• ICMP message type

• TCP flags (SYN, ACK, URG, RESET, PUSH, FIN)

• TOS field

• status of a link and/or data packets on UDP/TCP and ICMP protocols

In addition to providing comprehensive filtering facilities, Digi routers also allow you to

specify rules relating to the logging of information for audit/debugging purposes. This

information can be logged to a pseudo-file on the unit called FWLOG.TXT, the

EVENTLOG.TXT pseudo-file or to a syslog server. It can also be used to generate SNMP

traps.

Firewall Script Syntax

A firewall must be individually configured to match the needs of authorised users and their

applications. On Digi routers the rules governing firewall behaviour are defined in a script

file called FW.TXT. Each line in this file consists of a label definition, a comment or a filter

rule.

Labels

A label definition is a string of up to 12 characters followed by a colon. Labels can only

include letters, digits and the underscore character and are used in conjunction with the

break option to cause the processing of the script to jump to a new location.

Comments

Any line starting with the hash character (“#”) is deemed to be a comment and ignored.