Filter rules 15.2.3 – Westermo MR Series User Manual

393

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Filter Rules

15.2.3

The syntax for a filter rule is:

[action] [in-out] [options] [tos] [proto] [dnslist] [ip-range] [inspect-state]

When the firewall is active, the script is processed one line at a time as each packet is received or
transmitted. Even when a packet matches a filter-rule, processing still continues and all the other fil-
ter rules are checked until the end of the script is reached. The action taken with respect to a par-
ticular packet is that specified by the last matching rule. With the break option however the script
processing can be redirected to a new location or to the end of the script if required. The default
action that the firewall assigns to a packet is to block. This means that if the packet does not match
any of the rules it will be blocked.

The various fields of a script rule are described below:

[action]
The [action] field may be specified as block, pass, pass-ifup, dscp, vdscp or debug. These operate as
follows:

block:

The block action prevents a packet from being allowed through the firewall. When block is speci-
fied an optional field can be included that will cause an ICMP packet to be returned to the interface
from which that packet was received. This technique is sometimes used to confuse hackers by hav-
ing different responses to different packets or for fooling an attacker into thinking a service is not
present on a network.

The syntax for specifying the return of an ICMP packet is:

“return-icmp” [icmp-type [icmp-code]]

where [icmp_type] is a decimal number representing the ICMP type or can be one of the pre-
defined text codes listed in the following table:

ICMP type value

ICMP type

1

Unreach

2 Echo

3 Echorep

4

squench

5

redir

6

timex

7

paraprob

8

timest

9

timestrap

10

inforeq

11

inforep

12

maskreg

13

maskrep

14

routerad

15

routersol