User manual

ManualsBrandsvirtual access ManualsComputer equipmentGW1000

131

132

133

134

135

136

137

138

139

140

20: Configuring firewall

_______________________________________________________________________________________________________

limit string no (none)

Sets maximum average matching rate;

specified as a number, with an optional

/second, /minute, /hour or /day suffix.

Example 3/hour.

limit_burst integer no 5

Sets maximum initial number of packets to

match. This number gets recharged by one

every time the limit specified above is not

reached, up to this number.

extra string no (none)

Extra arguments to pass to iptables, this is

useful to specify additional match options,

like-m policy --dir in for IPSec.

20.5 Rules

Sections of the type rule can be used to define basic accept or reject rules to

allow or restrict access to specific ports or hosts. Like redirects the rules are tied

to the given source zone and match incoming traffic occurring there.

Valid options for this section are:

Name

Type

Required

Default

Description

src

zone

name

yes (none)

Specifies the traffic source zone, must refer

to one of the defined zone names.

src_ip

address

no (none)

Match incoming traffic from the specified

source IP address.

src_mac

mac

address

no (none)

Match incoming traffic from the specified mac

address.

src_port

port or

range

no (none)

Match incoming traffic originating from the

given source port or port range on the client

host if tcp or udp is specified as protocol.

proto

protocol

name or

number

no tcpudp

Match incoming traffic using the given

protocol. Can be one of tcp, udp, tcpudp,

udplite, icmp, esp, ah, sctp, or all or it can be

a numeric value, representing one of these

protocols or a different one. A protocol name

from /etc/protocols is also allowed. The

number 0 is equivalent to all.

Dest

zone

name

no (none)

Specifies the traffic destination zone, must

refer to one of the defined zone names. If

specified, the rule applies to forwarded traffic

else it is treated as input rule.

dest_ip

address

no (none)

Match incoming traffic directed to the

specified destination IP address.

dest_port

port or

range

no (none)

Match incoming traffic directed at the given

destination port or port range on this host if

tcp or udp is specified as protocol.

target string yes DROP

Firewall action (ACCEPT, REJECT, DROP) for

matched traffic.

family string no any

Protocol family (ipv4, ipv6 or any) to

generate iptables rules for.

_______________________________________________________________________________________________________

GW1000 Series User Manual

Issue: 2.4 Page 132 of 255