Address/port translation 15.4, Filtering on port numbers 15.5 – Westermo MR Series User Manual

Page 398

Advertising
background image

398

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Address/Port Translation

15.4

One further option that may be used when specifying addresses is to use address translation. The
syn tax for this is:

srcdst = “all | fromto [-> [ip-object] “to” object]

I.e. directly after the IP addresses and port are specified an optional “->” can follow indicating that
the addresses/ports should be translated. The first source object is optional and is unlikely to be
used as it is more normal to translate the destination address. The following example will reroute
packets orig inally destined for 10.10.10.12 to 10.1.2.3:

pass out break end from any to 10.10.10.12 -> to 10.1.2.3

Additionally to this complete subnets can have NAT applied, the address bits not covered by the
sub net mask are taken from the original IP address, so for example to NAT the destination subnet
of 192.168.0.0/24 to be 192.168.1.0/24 the firewall rule is:

pass out break end from any to 192.168.0.0/24 -> to 192.168.1.0/24

Filtering on Port Numbers

15.5

Now let us say there is a Telnet server running on a machine on IP address 10.1.2.63 and you
wish to make this accessible. Using the filter from the previous example would block all packets to
10.1.2.*. To make the Telnet server available on 10.1.2.63 we need to add the following line in front
of the blocking rule:

pass break end from any to 10.1.2.63 port=23

So, a packet being sent to the Telnet server (port 23) on IP address 10.1.2.63 will match this rule
and further checking is prevented by the break end option.

The above example illustrates the “=” comparison. Other comparison methods supported are:

Symbol

Meaning

!=

not equal

>

greater than

<

less than

<=

less than or equal to

>=

greater than or equal to

It is also possible to specify a port in range or a port out of range with the “><” or “<>” symbols.
For example, to pass all packets to addresses in the range 23 to 28, the rule would be specified as:

pass break end from any to 10.1.2.63 port 23><28

To simplify references to ports, some commonly used port numbers are associated with the pre-
defined strings listed in the table below. For instance, in the example above we could substitute the
number 23 with the string telnet. This would make the rule:

pass break end from any to 10.1.2.63 port=telnet

Advertising
This manual is related to the following products:

DR Series

Popular Brands
Popular manuals