Specifying ip addresses and ranges 15.3 – Westermo MR Series User Manual

397

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Specifying IP Addresses and Ranges

15.3

The ip-range field of a firewall script rule identifies the IP address or range of addresses to which
the rule applies. The syntax for specifying an IP address range is:

ip-range = “all” | “from” ip-object “to” ip-object [ flags ] [ icmp ]

where:

ip-object = addr [port-comp | port-range]

flags = “flags” { flags } [ !{ flags } ]

icmp = “icmp-type” icmp-type [ “code” decnum ]

addr = “any” | ip-addr[ “/”decnum ] [ “mask” ip-addr | “mask” hexnum ]

port-comp = “port” compare port-num

port-range = “port” port-num “<>” | “><” port-num

ip-addr = IP address in format nnn.nnn.nnn.nnn

decnum = a decimal number

hexnum = a hexadecimal number

compare = “=” | “!=” | “<” | “<=” | “>” | “>=”

port-num = service-name | decnum

service-name = “http” | “telnet” | “ftpdat” | “ftpcnt” | “pop3” | “ike” | “xot”

| “sntp” | “smtp”

In the above syntax definition:

items in quotes are keywords

•

items in square brackets are optional

•

items in curly braces are optional and can be repeated

•

the vertical bar symbol (“|”) means “or”

•

An ip-objecttherefore consists of an IP address and an IP port specification, preceded by the key-
word from or to to define whether it is the source or destination address. The most basic form for
an ip-object is simply an IP address preceded by from or to. For example, to block all packets des-
tined for address 10.1.2.98 the script rule would be:

block out from any to 10.1.2.98

An ip-object can also be specified using an address mask. This is a way of describing which bits of
the IP address are relevant when matching. The script processor supports two formats for specifying
masks.

Method 1: The IP address is followed by a forward slash and a decimal number. The decimal number
specifies the number of significant bits in the IP address. For example, if you wanted to block all
pack ets in the range 10.1.2.* the rule would be:

block from any to 10.1.2.0/24

i.e. only the first 24 bits of the address are significant.
Method 2: This same rule could be described another way using the mask keyword:

block from any to 10.1.2.0 mask 255.255.255.0

The IP address can also contain either “addr-ppp n” or “addr-eth n” where “n” is the eth or ppp
instance number. In this case the rule is specifying that the IP address is that allocated to the PPP
interface or to the Ethernet interface. This is useful in the situation were IP addresses are obtained
automatically and therefore are not known by the author of the filtering rules. For example:

block in break end on ppp 0 from addr-eth 0 to any