User guide
Firewall Rules Language
117
Proventia Network IPS G and GX Appliance User Guide
Firewall Rules Language
Introduction A firewall rule consists of several statements (or clauses) that define the traffic for which
the rule applies. When you manually create firewall rules for the appliance to use, you can
use the syntax listed in this topic.
Firewall clauses A firewall rule consists of several clauses chained together to match specific criteria for
each packet. The clauses represent specific layers in the protocol stack. Each clause can be
broken down into conditions and expressions. The expressions are the variable part of the
rule in which you plug in the address, port, or numeric parameters.
You can use the following firewall clauses:
● Adapter clause
Specifies a set of adapters from A through P that attaches the rule to a specific adapter.
The adapter clause indicates a specific adapter where the rule is applied. The
supported adapter expressions are
any
and the letters
A
through
P
. If you do not
specify an adapter clause, the rule matches packets on any adapter.
adapter <adapter-id>
adapter A
adapter any
adapter A,C
adapter A-C
● Ethernet clause
Specifies either a network protocol type or virtual LAN (VLAN) identifier to match
the 802.1 frame. You can use the Ethernet clause to filter 801.1q VLAN traffic or
allow/deny specific types of Ethernet protocols. You can find the list of protocol types
at
http://www.iana.org/assignments/ethernet-numbers
. Ethernet protocol
constants can be specified in decimal, octal, hexadecimal, or alias notation. To make it
easier to block specific types of Ethernet traffic, you can specify an alias instead of the
well-known number. In some cases, the alias blocks more than one port (for example,
IPX and PPPoE).
ether proto <protocol-id>
ether proto {arp|aarp|atalk|ipx|mpls|netbui|pppoe|rarp|sna|xns}
ether vid <vlan-number>
ether vid <vlan-number> proto <protocol-id>
ether proto !arp
ether vid 1 proto 0x0800
ether vid 2 proto 0x86dd
ether vid 3-999 proto 0x0800,0x86dd
● IP datagram clause
Specifies the transport level filtering fields such as IPv4 addresses, TCP/UDP source
or destination ports, ICMP type or code, or a specific IP protocol number. The IP
datagram clause identifies the protocol that resides inside the IP datagram and the
protocol-specific conditions that must be satisfied in order for the statement to match.
Currently, only ICMP, TCP, and UDP conditions are supported, but you can specify
filters based on any IP protocol. If you do not specify an IP datagram clause, the
statement will match any IP datagram protocol.
The first and second statements below block IP packets that match the IP address
expression. The third statement below blocks IP packets that match the IP address
expression. The fourth statement below blocks IP packets that match the protocol