Firewall configuration
Digi TransPort User Guide 658
The optional [icmp-code] field can also be a decimal number representing the ICMP code of the
return ICMP packet but if the [icmp-type] is [unreach], then the code can also be one of the
following pre-defined text codes:
For example:
block return-icmp unreach in break end on ppp 0
This rule causes the router to return an ICMP Unreachable packet in response to all packets
received on PPP 0.
Instead of using the return-icmp option to return an ICMP packet, you can use return-rst to
return a TCP reset packet instead. This would only be applicable for a TCP packet. For example:
block return-rst in break end on eth 0 proto tcp from any to 10.1.2.0/24
This would return a TCP reset packet when the firewall receives a TCP packet on the Ethernet
interface 0 with destination address 10.1.2.*.
pass
Allows packets that match the rule to pass through the firewall.
pass-ifup
Allows outbound packets that match the rule to pass through the firewall but only if the link is
already active.
debug
Causes the router to tag any packets matching the rule for debug. This means that for every
matching rule that is encountered from this point in the script onwards, an entry will be placed
in the pseudo-file FWLOG.TXT.
dscp
Causes any packets matching this rule to have its DSCP value adjusted according to this rule.
The DSCP value of a packet indicates the type of service required and is used in conjunction
with QOS (Quality of Service) functions. A decimal or hex number must follow the dscp
keyword to indicate the value that should be set.
vdscp
Similar to the dscp action as described above, in that it adjusts the DSCP value in a packet. The
difference is that this is a virtual change only, which means that the actual packet is not
changed, and that the packet is processed as if it had the DSCP value as indicated. Like the
dscp action, a decimal or hexadecimal number must follow.
ICMP code Meaning
net-unr Network unreachable
host-unr Host unreachable
proto-unr Protocol unrecognized
port-unr Port unreachable
needfrag Needs fragmentation
srcfail Source route fail
To Next Page
Loading...
