Digi TransPort - Page 663

813 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Firewall configuration

Digi TransPort User Guide 663

An ip-object can also be specified using an address mask. This is a way of describing which bits of

the IP address are relevant when matching. The script processor supports two formats for

specifying masks.

• Method 1: The IP address is followed by a forward slash and a decimal number. The decimal

number specifies the number of significant bits in the IP address. For example, if you wanted

to block all packets in the range 10.1.2.* the rule would be:

block from any to 10.1.2.0/24

such as, only the first 24 bits of the address are significant.

• Method 2: This same rule could be described another way using the mask keyword:

block from any to 10.1.2.0 mask 255.255.255.0

The IP address can also contain either addr-ppp n or addr-eth n, where n is the eth or ppp

instance number. In this case, the rule specifies that the IP address is that allocated to the PPP

interface or to the Ethernet interface. This is useful when IP addresses are obtained automatically

and therefore are not known by the author of the filtering rules. For example:

block in break end on ppp 0 from addr-eth 0 to any

Address/Port translation

One further option for specifying addresses is to use address translation. The syntax for this is:

srcdst = “all | fromto [-> [ip-object] “to” object]

such as, directly after the IP addresses and port are specified an optional

-> can follow,

indicating that the addresses/ports should be translated. The first source object is optional, and is

unlikely to be used, as it is more normal to translate the destination address.

The following example reroutes packets originally destined for 10.10.10.12 to 10.1.2.3:

pass out break end from any to 10.10.10.12 -> to 10.1.2.3

In addition, complete subnets can have NAT applied. The address bits not covered by the subnet

mask are taken from the original IP address. For example, to NAT the destination subnet of

192.168.0.0/24 to be 192.168.1.0/24, the firewall rule is:

pass out break end from any to 192.168.0.0/24 -> to 192.168.1.0/24

Table of Contents

Related product manuals

Preview: Digi TransPort WR31

Digi TransPort WR31

Preview: Digi TransPort WR11

Digi TransPort WR11

Preview: Digi TransPort WR21

Digi TransPort WR21

Preview: Digi TransPort WR44

Digi TransPort WR44

Preview: Digi TransPort WR41

Digi TransPort WR41

Preview: Digi TransPort LR54

Digi TransPort LR54

Preview: Digi IR4420

Digi Connect WAN

Preview: Digi Connect Series

Digi Connect Series

Digi AnywhereUSB/14

Digi ConnectPort X2e ZB

Preview: Digi AnywhereUSB Series

Digi AnywhereUSB Series