Configuring security Firewall
Digi TransPort® Routers User Guide
790
Keyword Standard port number Service
telnet 23 Telnet server port
smtp 25 SMTP server port
http 80 Web server port
pop3 110 Mail server port
sntp 123 NTP server port
ike 500 Source/destination port for IKE key
xot 1998 Destination port for XOT packets
Filter on TCP flags
To filter on TCPflags, follow an ip-object by an optional [flags] field.
[flags]
Filters based on any combination of TCP flags. The [flags] field specifies the flags to check and
consists of the flags keyword followed by a string specifying the flags themselves. Each letter in this
string represents a particular flag type as listed below:
Code Flag
f FIN Flag
r RESET Flag
s SYN Flag
p PUSH Flag
u URG Flag
a ACK Flag
These flag codes allow the filter to check any combination of flags.
Following on from the previous example, to block packets that have all the flags set you would need to
precede the pass rule with the following block rule:
bl ock br eak end f r om any t o 10. 1. 2. 0/ 24 por t =t el net f l ags f r spua
Here, the list of flags causes the router to check that those flags are set. This list may be optionally
followed by an exclamation mark (!) and a second list of flags that the router should check for being
clear.
For example. the following [flags] field tests for the s flag being on and the a flag being off with all
other flags ignored.
f l ags s! a
As a further example, suppose we want to allow outward connections from a machine on 10.1.2.33 to
a Telnet server. We have to define a filter rule to pass outbound connections and the inbound
response packets. Because this is an outbound Telnet service we can make use of the fact that all
To Next Page
Loading...
