User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

471

472

473

474

475

476

477

478

479

480

476

Identifier

Meaning

ftp FTP packets regardless of port number

icmp ICMP packet

decimal number decimal number matched to protocol type in IP header

The [proto] field is also important when “stateful” inspection is enabled for a rule (using the

[inspect-state] field), as it describes the protocol to inspect (see [inspect-state] below).

[dnslist]

The

[dnslist] field is used to match packets that contain DNS names that are in a given

dnslist. Following

dnslist there needs to be a name of a dnslist as specified by the #dns

command. For example, say we have the following dnslist.

#dns gglist www.Digi.co.*,www.*.co.nz

Then the following firewall rule will block all dns lockups to DNS names matching the above

list.

block out break end on ppp 1 proto udp dnslist gglist from any to any port=dns

[ip-range]

The

[ip-range] field is used to describe the range of IP addresses and ports to match upon

and may be specified in one of several ways. The basic syntax is:

ip-range = “all” | “from” ip-object “to” ip-object [flags] [icmp]

where ip-object is an IP address specification. Full details of the syntax with examples are

given under the heading “Specifying IP Addresses and Address Ranges” below.

[inspect-state]

The

[inspect-state] field is used in create rules for “stateful inspection”. This is a powerful

option in which the firewall script includes rules that allow the unit to keep track of a

TCP/UDP or ICMP session and therefore to only pass packets that match the state of a

connection.

Additionally, the

[inspect state] field can specify an optional OOS (Out Of Service)

parameter. This parameter allows the unit to mark any route as being out-of-service for a

given period of time in the event that the stateful inspect engine has detected an error.

A full description of how the

[inspect state] field works is given below under the heading

“Stateful Inspection”.

Specifying IP Addresses and Ranges

The ip-range field of a firewall script rule identifies the IP address or range of addresses to

which the rule applies. The syntax for specifying an IP address range is:

ip-range = “all” | “from” ip-object “to” ip-object [ flags ] [ icmp ]

where:

ip-object = addr [port-comp | port-range]

flags = “flags” { flags } [ !{ flags } ]

icmp = “icmp-type” icmp-type [ “code” decnum ]

addr = “any” | ip-addr[ “/”decnum ] [ “mask” ip-addr | “mask” hexnum ]

port-comp = “port” compare port-num