Westermo MR Series User Manual

396

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

oosed:

The oosed option is used to check the out of service status of an interface. For example, includ-
ing the option oosed ppp 1 would cause the rule to match only if interface PPP 1 is out of
service.

[tos]
The [tos] field may be used to specify the Type of Service (TOS) to match. If included, the [tos]
field consists of the keyword tos followed by a decimal or hexadecimal code identifying the TOS to
match. For example, to block any inbound packet on PPP 0 with a TOS of 0 you would use a rule
such as:

block in on ppp 0 tos 0

[proto]
The [proto] field is used to specify a protocol to match and consists of the proto keyword followed
by one of the following protocol identifiers:

Identifier

Meaning

tcp, udp

TCP or UDP packet

udp

UDP packet

tcp

TCP packet

ftp

FTP packets regardless of port number

icmp

ICMP packet

decimal number

decimal number matched to protocol type in IP header

The [proto] field is also important when “stateful” inspection is enabled for a rule (using
the[inspect-state] field), as it describes the protocol to inspect (see [inspect-state] below).

[dnslist]
The [dnslist] field is used to match packets that contain DNS names that are in a given dnslist.
Following dnslist there needs to be a name of a dnslist as specified by the #dns command. For
example, say we have the following dnslist.

#dns gglist www.Westermo.co.*,www.*.co.nz

Then the following firewall rule will block all dns lockups to DNS names matching the above list.

block out break end on ppp 1 proto udp dnslist gglist from any to

any port=dns

[ip-range]
The [ip-range] field is used to describe the range of IP addresses and ports to match upon and may
be specified in one of several ways. The basic syntax is:

ip-range = “all” | “from” ip-object “to” ip-object [flags] [icmp]

where ip-object is an IP address specification. Full details of the syntax with examples are given
under the heading “Specifying IP Addresses and Address Ranges” below.

[inspect-state]
The [inspect-state] field is used in create rules for “stateful inspection”. This is a powerful option
in which the firewall script includes rules that allow the unit to keep track of a TCP/UDP or ICMP
ses sion and therefore to only pass packets that match the state of a connection.

Additionally, the [inspect state] field can specify an optional OOS (Out Of Service) parameter. This
parameter allows the unit to mark any route as being out-of-service for a given period of time in
the event that the stateful inspect engine has detected an error.

A full description of how the [inspect state] field works is given below under the heading “Stateful
Inspection”.