Specifications
Chapter 8. Command Reference 269
drop The packet is discarded, without sending an ICMP (Internet Control Management Protocol)
error message.
reject The packet is discarded and an ICMP error message is returned to the sender.
inipsec The packet is passed to IPSec for decrypting. The filter is intended to match packets coming
from the other IPSec gateway. Although filters are the mechanism by which packets are passed
to IPSec, it is recommended that you use IKE, rather than your own filters, to manage your IP
Security (see IPSec (Internet Protocol Security), on page 134).
outipsec The packet is passed to IPSec so it can be encrypted and sent to the other IPSec gateway. The
filter is intended to match packets coming from the local protected network. Although filters are
the mechanism by which packets are passed to IPSec, it is recommended that you use IKE to
manage your IP Security (see IPSec (Internet Protocol Security), on page 134).
The following parameters specify the characteristics that an IP packet must have in order to match the Þlter. A Þlter
can require any or all of these characteristics.
-p <protocol> | TCP | UDP | ICMP
The packet must have the specified protocol. If no protocol is specified, the filter matches every protocol.
-sa <first source ip addr>[:<last source ip addr>]
The packet must have a source IP address within the specified address range. If only one address is specified,
the packet must have that source IP address. If no source IP address is specified, the filter matches any
address in the range 0.0.0.0:255.255.255.255.
-sm <source ip mask>
The filter uses the specified mask when comparing the <first source ip addr>...<last source ip addr> with the
source IP address in the IP packet. If no source mask is specified, the mask used is 255.255.255.255.
-sp <ICMP type> | <first source port>[:<last source port>]
The packet must have a source port that matches the specified ICMP type or that is within the specified port
range. If only one port is specified, the packet must have that source port. If no source port is specified, the
filter matches any source port in the range 0:0xffff.
-da <first dest ip addr>[:<last dest ip addr>]
The packet must have a destination IP address within the specified address range. If only one address is
specified, the packet must have that destination IP address. If no destination IP address is specified, the filter
matches any address in the range 0.0.0.0:255.255.255.255.
-dm <dest ip mask>
The filter uses the specified mask when comparing the <first dest ip addr>...<last dest ip addr> with the
destination IP address in the IP packet. If no destination mask is specified, the mask used is 255.255.255.255.
-dp <ICMP type> | <first dest port>[:<last dest port>]
The packet must have a destination port that matches the specified ICMP type or that is within the specified
port range. If only one port is specified, the packet must have that destination port. If no destination port is
specified, the filter matches any destination port in the range 0:0xffff.
-tcp syn|ack|noflag
If the IP packet is a TCP packet, the filter matches the packet only if the packet flag settings are as specified.
If no -tcp option is specified for the filter, flag settings are not checked.
Note: You may specify more than one -tcp option for the IP filter.
The syn, ack, and noflag settings work together as follows:
- Specify -tcp syn if the TCP SYN flag must be set.
- Specify -tcp ack if the TCP ACK flag must be set.