Filter Rule Format




Filter rules contain the following fields (each separated by a single space):


  1. Rule Action
  2. Source IP Address
  3. Source Address Mask
  4. Destination IP Address
  5. Destination Address Mask
  6. Protocol
  7. Source Port
  8. Destination Port
  9. Interface
  10. Routing
  11. Direction
  12. Log Control (optional)
  13. Fragmentation Control (optional)
  14. Tunnel ID (optional)

Click the links to see the possible values for each field.


Rule action

Value

Description

permit

Packets matching the rest of the fields in the rule definition will be allowed through the firewall

deny

Packets matching the rest of the fields in the rule definition will be blocked by the firewall

Back to top

 

Source / Destination IP address

Value

Description

x.x.x.x

A valid IP address in dotted decimal format, e.g. 192.168.42.50

Back to top

 

Source / Destination address mask

Value

Description

x.x.x.x

Applied as bitwise AND to match address, e.g. 255.255.255.0

Back to top

 

Protocol

Value

Description

all

Matches all protocols

icmp

Matches ICMP packets

udp

Matches UDP packets

tcp

Matches TCP packets

tcp/ack

Matches TCP packets with acknowledgement bit set

ipsp

Matches IPSP packets

Back to top

 

Source / Destination port

Value

Description

any 0

Matches any port number

eq (port no.)

Matches specified port number, e.g. eq 301

neq (port no.)

Matches any port number other than that specified

lt (port no.)

Matches any port number less than that specified

gt (port no.)

Matches any port number greater than that specified

le (port no.)

Matches any port number less than or equal to that specified

ge (port no.)

Matches any port number greater than or equal to that specifed

Back to top

 

Interface

Value

Description

secure

Matches packets flowing through a secure interface

non-secure

Matches packets flowing through a non-secure interface

both

Matches all packets

Back to top

 

Routing

Value

Description

local

Matches packets flowing to or from the firewall

route

Matches packets flowing through the firewall

both

Matches all packets

Back to top

 

Direction

Value

Description

inbound

Matches packets flowing to the specified interface

outbound

Matches packets flowing from the specified interface

both

Matches all packets

Back to top

 

Log control (optional)

Value

Description

l=yes

Logs packets if set (default for denied packets)

l=no

Does not log packets if set (default for permitted packets)

Back to top

 

Fragmentation control (optional)

Value

Description

f=yes

Matches headers, fragments and non-fragmented packets if set

f=no

Matches only non-fragmented packets if set

f=only

Matches only headers and fragments if set

Back to top

 

Tunnel ID (optional)

Value

Description

t=(tunnel id)

Identifies tunnel through which packet must be sent if set

Back to top


Back