User`s guide
472
Filter Rules
The syntax for a filter rule is:
[action] [in-out] [options] [tos] [proto] [dnslist] [ip-range] [inspect-state]
When the firewall is active, the script is processed one line at a time as each packet is
received or transmitted. Even when a packet matches a filter-rule, processing still continues
and all the other filter rules are checked until the end of the script is reached. The action
taken with respect to a particular packet is that specified by the last matching rule. With the
break option however the script processing can be redirected to a new location or to the end
of the script if required. The default action that the firewall assigns to a packet is to block.
This means that if the packet does not match any of the rules it will be blocked.
The various fields of a script rule are described below:
[action]
The
[action] field may be specified as block, pass, pass-ifup, dscp, vdscp or debug. These
operate as follows:
block
The
block action prevents a packet from being allowed through the firewall. When block is
specified an optional field can be included that will cause an ICMP packet to be returned to
the interface from which that packet was received. This technique is sometimes used to
confuse hackers by having different responses to different packets or for fooling an attacker
into thinking a service is not present on a network.
The syntax for specifying the return of an ICMP packet is:
“return-icmp” [icmp-type [icmp-code]]
where [icmp_type] is a decimal number representing the ICMP type or can be one of the
predefined text codes listed in the following table:
ICMP type value
ICMP type
1 Unreach
2 Echo
3 Echorep
4 squench
5 redir
6 timex
7 paraprob
8 timest
9 timestrap
10 inforeq
11 inforep
12 maskreg
13 maskrep
14 routerad