User`s guide
473
ICMP type value
ICMP type
15
routersol
The optional [icmp-code] field can also be a decimal number representing the ICMP code of
the return ICMP packet but if the
[icmp-type] is [unreach] then the code can also be one of
the following pre-defined text codes:
ICMP code
Meaning
net-unr Network unreachable
host-unr Host unreachable
proto-unr Protocol unrecognised
port-unr Port unreachable
needfrag Needs fragmentation
srcfail Source route fail
For example:
block return-icmp unreach in break end on ppp 0
This rule would cause the unit to return an ICMP Unreachable packet in response to all
packets received on PPP 0.
Instead of using the
return-icmp option to return an ICMP packet, return-rst can be used to
return a TCP reset packet instead. This would only be applicable for a TCP packet. For
example:
block return-rst in break end on eth 0 proto tcp from any to 10.1.2.0/24
This would return a TCP reset packet when the firewall receives a TCP packet on the
Ethernet interface 0 with destination address 10.1.2.*.
pass
The pass action allows packets that match the rule to pass through the firewall.
pass-ifup
The
pass-ifup action allows outbound packets that match the rule to pass through the
firewall but only if the link is already active.
debug
The
debug action causes the unit to tag any packets matching the rule for debug. This
means that for every matching rule that is encountered from this point in the script
onwards, an entry will be placed in the pseudo-file FWLOG.TXT.
dscp
The
dscp action causes any packets matching this rule to have its DSCP value adjusted
according to this rule. The DSCP value of a packet indicates the type of service required and
is used in conjunction with QOS (Quality of Service) functions. A decimal or hex number
must follow the
dscp keyword to indicate the value that should be set.
vdscp