Configuring security Firewall
Digi TransPort® Routers User Guide
789
Set filters in firewall rules
Filter on port numbers
Suppose a Telnet server is running on a machine on IP address 10.1.2.63, and you want to make this
server accessible. Suppose also a filter is in place to block all packets to 10.1.2.*. To make the Telnet
server available on 10.1.2.63, add the following line before the blocking rule:
pass i n br eak on f r om any t o 10. 1. 2. 63 por t =23 f l ags S! A i nspect - st at e
A packet sent to the Telnet server (port 23) on IP address 10.1.2.63 matches this rule, and further
checking is prevented by the break end option.
Specifying in ensures that only incoming packets match the rule.
Specifying flags S!A ensures that the rule only matches on the initial TCP SYN, and also implies that
the rule should match on TCP packets.
Specifying inspect-state means that if a packet matches the rule, a new stateful entry is created to
allow other packets matching the same TCP socket, in either direction, to pass.
The above example illustrates the = comparison. Other comparison methods supported are:
Symbol Meaning
!= not equal
> greater than
< less than
<= less than or equal to
>= greater than or equal to
You can also specify a port in range or a port out of range with the >< or <> symbols. For example, to
pass all packets to addresses in the range 23 to 28, the rule is:
pass br eak end f r om any t o 10. 1. 2. 63 por t 23><28
To simplify ports references, some common port numbers are associated with the predefined strings,
listed in the table below. For example, in the example above, if we substitute the number 23 with the
string telnet, the rule is:
pass br eak end f r om any t o 10. 1. 2. 63 por t =t el net
Other defined port keywords are as follows. The service keywords are predefined based on standard
port numbers. These port numbers may have been defined differently on your system, in which case
you should use the port numbers explicitly, and not the defined names.
Keyword Standard port number Service
Ftpdat 20 File Transfer Protocol data port
Ftpcnt 21 File Transfer Protocol control port
To Next Page
Loading...
