EasyManua.ls Logo

Digi TransPort WR11 - Page 792

Digi TransPort WR11
948 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Configuring security Firewall
Digi TransPor Routers User Guide
792
ICMP type ICMP value
Routerad 9
Routersol 10
The following two rules are equivalent:
pass i n br eak end on ppp 0 pr ot o i cmp f r om any t o 10. 1. 2. 0/ 24 i cmp- t ype 0
pass i n br eak end on ppp 0 pr ot o i cmp f r om any t o 10. 1. 2. 0/ 24 i cmp- t ype echor ep
Both of these rules allow echo replies to come in from interface ppp 0 if they are addressed to our
example local network address (10.1.2.*).
In addition to having a type, ICMP packets also include an ICMP code field after the type. When
specified, the code field must also match. Specify the ICMP code field with a decimal number.
For example, to allow only echo replies and ICMP unreachable type ICMP packets from interface ppp
0. Then the rules would look something like this:
pass i n br eak end on ppp 0 pr ot o i cmp f r om any t o 10. 1. 2. 0/ 24 i cmp- t ype echor ep
code 0
pass i n br eak end on ppp 0 pr ot o i cmp f r om any t o 10. 1. 2. 0/ 24 i cmp- t ype unr each
code 0
bl ock i n br eak end on ppp 0 pr ot o i cmp
The first two rules in this set allow in the ICMP packets that we are willing to permit and the third rule
denies all other ICMP packets in from this interface. If we ever expect to see echo replies in on ppp 0,
we should allow echo requests out on that interface too, using this rule:
pass out br eak end on ppp 0 pr ot o i cmp i cmp- t ype echo
[icmpv6]
This field allows the script to filter packets based on ICMPv6 codes. ICMPv6 packets are occasionally
used to debug and diagnose a network and can be extremely useful. However, they form part of a low-
level protocol and are frequently exploited by hackers for attacking networks. For this reason, most
network administrators want to restrict the use of ICMP packets.
The syntax for including ICMPv6 filtering is:
i cmpv6 = i cmpv6- t ype i cmpv6- t ype [ code decnum]
Where:
icmpv6-type
Is one of the pre-defined strings listed in the following table or the equivalent decimal numeric value:
ICMPv6 type ICMPv6 value
Unreach 1
Toobig 2
Timex 3
Paramprob 4

Table of Contents

Other manuals for Digi TransPort WR11

Preview: Installation Guide
Installation Guide17 pages
Preview: Manual
Manual20 pages
Preview: Quick Start Quide
Quick Start Quide2 pages
Preview: Quick Start Guide
Quick Start Guide2 pages

Related product manuals