User`s guide
477
port-range = “port” port-num “<>” | “><” port-num
ip-addr = IP address in format nnn.nnn.nnn.nnn
decnum = a decimal number
hexnum = a hexadecimal number
compare = “=” | “!=” | “<” | “<=” | “>” | “>=”
port-num = service-name | decnum
service-name = “http” | “telnet” | “ftpdat” | “ftpcnt” | “pop3” | “ike” | “xot”|
“sntp” | “smtp”
In the above syntax definition:
• items in quotes are keywords
• items in square brackets are optional
• items in curly braces are optional and can be repeated
• the vertical bar symbol (“|”) means “or”
An
ip-object therefore consists of an IP address and an IP port specification, preceded by
the keyword
from or to to define whether it is the source or destination address. The most
basic form for an
ip-object is simply an IP address preceded by from or to. For example, to
block all packets destined for address 10.1.2.98 the script rule would be:
block out from any to 10.1.2.98
An ip-object can also be specified using an address mask. This is a way of describing which
bits of the IP address are relevant when matching. The script processor supports two
formats for specifying masks.
Method 1: The IP address is followed by a forward slash and a decimal number. The decimal
number specifies the number of significant bits in the IP address. For example, if you
wanted to block all packets in the range 10.1.2.* the rule would be:
block from any to 10.1.2.0/24
i.e. only the first 24 bits of the address are significant.
Method 2: This same rule could be described another way using the mask keyword:
block from any to 10.1.2.0 mask 255.255.255.0
The IP address can also contain either “addr-ppp n” or “addr-eth n” where “n” is the eth or
ppp instance number. In this case the rule is specifying that the IP address is that allocated
to the PPP interface or to the Ethernet interface. This is useful in the situation were IP
addresses are obtained automatically and therefore are not known by the author of the
filtering rules. For example:
block in break end on ppp 0 from addr-eth 0 to any