Configure security settings Firewall
Digi TransPort WR Routers User Guide 695
[proto]
The protocol to match. Specify using the proto keyword followed by one of the following
protocol identifiers:
The [proto] field is also important when stateful inspection is enabled for a rule (using the
[inspect-state] field), as it describes the protocol to inspect (see [inspect-state] below).
[dnslist]
Match packets containing DNS names in a given dnslist. Following dnslist, there must be a
name of a DNS list as specified by the #dns command. For example, consider the following DNS
list:
#dns gglist www.Digi.co.*,www.*.co.nz
The following firewall rule blocks all DNS lockups to DNS names matching the above list:
block out break end on ppp 1 proto udp dnslist gglist from any to
any port=dns
[ip-range]
The range of IP addresses and ports to match upon and may be specified in one of several ways.
The basic syntax is:
ip-range=“all” | “from” ip-object “to” ip-object [flags] [icmp]
where ip-object is an IP address specification. For full details of the syntax with examples, see
Specifying IP addresses and ranges.
[inspect-state]
Creates rules for stateful inspection. This is a powerful option in which the firewall script
includes rules that allow the router to keep track of a TCP/UDP or ICMP session and therefore to
only pass packets that match the state of a connection.
Additionally, the [inspect state] field can specify an optional OOS (Out Of Service) parameter.
This parameter allows the router to mark any route as being out-of-service for a given period of
time in the event that the stateful inspect engine has detected an error.
A full description of how the [inspect state] field works is given below under the heading
Stateful Inspection Settings parameters.
Identifier Meaning
udp UDP packet
tcp TCP packet
ftp FTP packets regardless of port number
icmp ICMP packet
decimal number decimal number matched to protocol type in IP header
To Next Page
Loading...
