User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

471

472

473

474

475

476

477

478

479

480

478

Address/Port Translation

One further option that may be used when specifying addresses is to use address

translation. The syntax for this is:

srcdst = “all | fromto [-> [ip-object] “to” object]

I.e. directly after the IP addresses and port are specified an optional “->” can follow

indicating that the addresses/ports should be translated. The first source object is optional

and is unlikely to be used as it is more normal to translate the destination address. The

following example will reroute packets originally destined for 10.10.10.12 to 10.1.2.3:

pass out break end from any to 10.10.10.12 -> to 10.1.2.3

Additionally to this complete subnets can have NAT applied, the address bits not covered by

the subnet mask are taken from the original IP address, so for example to NAT the

destination subnet of 192.168.0.0/24 to be 192.168.1.0/24 the firewall rule is:

pass out break end from any to 192.168.0.0/24 -> to 192.168.1.0/24

Filtering on Port Numbers

Now let us say there is a Telnet server running on a machine on IP address 10.1.2.63 and

you wish to make this accessible. Using the filter from the previous example would block all

packets to 10.1.2.*. To make the Telnet server available on 10.1.2.63 we need to add the

following line in front of the blocking rule:

pass break end from any to 10.1.2.63 port=23

So, a packet being sent to the Telnet server (port 23) on IP address 10.1.2.63 will match

this rule and further checking is prevented by the break end option.

The above example illustrates the “=” comparison. Other comparison methods supported

are:

Symbol

Meaning

!= not equal

> greater than

< less than

<= less than or equal to

>= greater than or equal to

It is also possible to specify a port in range or a port out of range with the “><” or “<>”

symbols. For example, to pass all packets to addresses in the range 23 to 28, the rule would

be specified as:

pass break end from any to 10.1.2.63 port 23><28

To simplify references to ports, some commonly used port numbers are associated with the

predefined strings listed in the table below. For instance, in the example above we could

substitute the number 23 with the string telnet. This would make the rule:

pass break end from any to 10.1.2.63 port=telnet

The other port keywords that are defined are:

Keyword

Std. Port

Service

Ftpdat 20 File Transfer Protocol data port

Ftpcnt 21 File Transfer Protocol control port