Firewall configuration
Digi TransPort User Guide 662
[inspect-state]
Used in create rules for stateful inspection. This is a powerful option in which the firewall
script includes rules that allow the router to keep track of a TCP/UDP or ICMP session and
therefore to only pass packets that match the state of a connection.
Additionally, the [inspect state] field can specify an optional OOS (Out Of Service) parameter.
This parameter allows the router to mark any route as being out-of-service for a given period
of time in the event that the stateful inspect engine has detected an error.
A full description of how the [inspect state] field works is given below under the heading
Stateful Inspection Settings parameters on page 653.
Specifying IP Addresses and ranges
The ip-range field of a firewall script rule identifies the IP address or range of addresses to which
the rule applies. The syntax for specifying an IP address range is:
ip-range = “all” | “from” ip-object “to” ip-object [ flags ] [ icmp ]
where:
ip-object = addr [port-comp | port-range]
flags = “flags” { flags } [ !{ flags } ]
icmp = “icmp-type” icmp-type [ “code” decnum ]
addr = “any” | ip-addr[ “/”decnum ] [ “mask” ip-addr | “mask” hexnum ]
port-comp = “port” compare port-num
port-range = “port” port-num “<>” | “><” port-num
ip-addr = IP address in format nnn.nnn.nnn.nnn
decnum = a decimal number
hexnum = a hexadecimal number
compare = “=” | “!=” | “<” | “<=” | “>” | “>=”
port-num = service-name | decnum
service-name = “http” | “telnet” | “ftpdat” | “ftpcnt” | “pop3” | “ike” | “xot”| “sntp” |
“smtp”
In the above syntax definition:
• Items in quotes are keywords.
• Items in square brackets are optional.
• Items in curly braces are optional and can be repeated.
• The vertical bar symbol (“|”) means or.
An ip-object consists of an IP address and an IP port specification, preceded by the keyword from
or to define whether it is the source or destination address. The most basic form for an ip-object
is an IP address preceded by from or to. For example, to block all packets destined for address
10.1.2.98 the script rule is:
block out from any to 10.1.2.98
To Next Page
Loading...
