Configuring security Firewall
Digi TransPort® Routers User Guide
787
n Method 2: This same rule could be described another way using the mask keyword:
bl ock f r om any t o 10. 1. 2. 0 mask 255. 255. 255. 0
The IP address can also contain either addr-ppp n or addr-eth n, where n is the eth or ppp instance
number. In this case, the rule specifies that the IP address is that allocated to the PPP interface or to
the Ethernet interface. This is useful when IP addresses are obtained automatically and therefore are
not known by the author of the filtering rules. For example:
bl ock i n br eak end on ppp 0 f r om addr - et h 0 t o any
ipv6-addr
Is an IPv6 address in the usual format (e.g. 2001:DB8::/32).
ipv6-host = "ipv6-host" ipv6-addr "/" decnumber ["/" decnumber]
Specifies to host portion of an IPv6 address. For example, the ipv6-host value
::01:1111:2222:3333:4444/72 matches the 72 low-order bits of the address
::01:1111:2222:3333:4444. You can also specify a second decimal value to indicate how many host
bits to match. For example, the ipv6-host value ::01:1111:2222:3333:4444/72/8 matches the 8 bits of
the address starting from bit 128 - 72 (that is, 01).
addr6-eth = "addr6-eth" decnumber | "addr6-eth-lla" decnumber | "addr6-eth-ula" decnumber |
"addr6-eth-global" decnumber
addr6-eth is used to match on IPv6 addresses owned by the Ethernet interface specified by the value
of decnumber.
The -lla variant is used to match only on the link-local addresses associated with the interface.
The -ula variant is used to match only on the unique local addresses associated with the interface.
The -global variant is used to match only on the global addresses associated with the interface.
For example, the following rule will pass incoming packets with destination address that matches a
link-local address associated with eth 0:
pass i n br eak end f r om any t o addr 6- et h- l l a 0
The following rule will pass incoming packets with destination address that match any IPv6
associated with eth 0.
pass i n br eak end f r om any t o addr 6- et h 0
addr6-ppp = "addr6-ppp" decnumber | "addr6-ppp-lla" decnumber | "addr6-ppp-ula" decnumber |
"addr6-ppp-global" decnumber
addr6-ppp is similar to addr-eth, but matches on PPP interfaces instead of Ethernet interfaces.
Address/Port translation
One further option for specifying addresses is to use address translation. The syntax for this is:
sr cdst = “ al l | f r omt o [ - > [ i p- obj ect ] “ t o” obj ect ]
such as directly after the IP addresses and port are specified. An optional ->can follow, indicating that
the addresses/ports should be translated. The first source object is optional, as it is more normal to
translate the destination address.
The following example reroutes packets originally destined for 10.10.10.12 to 10.1.2.3:
To Next Page
Loading...
