Firewall
292
8.3
The BAT Firewall
BAT54-Rail/F..
Release
7.54
06/08
Action table
As described above, a Firewall action consists of condition, limit, packet ac-
tion and further measures. In the action table Firewall actions are composed
as any combination of the following elements:
D Conditions
If no further actions are specified in a “connect” or “Internet” filter, then
implicitly a combination of these filters with the “reject” action is
assumed.
D Limits/Trigger
Each Firewall action can be tied together with a limit, whose excess
leads to the triggering of the action. Also, several limits for a filter thereby
can build action chains.
Limit objects are generally introduced by %L, followed by:
D Reference: per connection (c) or globally (g)
D Kind: Data rate (d), number of packets (p) or packet rate (b)
D Value of the limit
D Further parameters (e. g. period and quantity)
The following limitations are available:
Condition Description Object ID
Connect filter The filter is active when no physical connection to the packet des-
tination exists.
@c
DiffServ filter The filter is active when the packet contains the indicated Differ-
entiated Services Code Point (DSCP) (’Evaluating ToS and Diff-
Serv fields’
→ page 325.
@d (plus DSCP)
Internet filter The filter is active when the packet is received or will be transmit-
ted via default route.
@i
VPN filter The filter is active when the packet is received or will be transmit-
ted via VPN connection.
@v
Limit Description Object ID
Data (abs) Absolute number of kilobytes on the connection after which the action is exe-
cuted.
%lcd
Data (rel) Number of kilobytes/second, minute, hour on the connection after which the
action is executed.
%lcds
%lcdm
%lcdh
Packet (abs) Absolute number of packets on the connection after which the action is executed. %lcp
Packet (rel) Number of packets/second, minute, hour on the connection after which the action
is executed.
%lcps
%lcpm
%lcph
Global data
(abs)
Global data (abs): Absolute number of kilobytes received from the destination
station or sent to it, after which the action is executed.
%lgd
To Next Page
Loading...
