Digi TransPort WR31 User Manual page 700

Configure security settings
[proto]
The protocol to match. Specify using the proto keyword followed by one of the following
protocol identifiers:
Identifier
udp
tcp
ftp
icmp
decimal number
The [proto] field is also important when stateful inspection is enabled for a rule (using the
[inspect-state] field), as it describes the protocol to inspect (see [inspect-state] below).
[dnslist]
Match packets containing DNS names in a given dnslist. Following dnslist, there must be a
name of a DNS list as specified by the #dns command. For example, consider the following DNS
list:
#dns gglist www.Digi.co.*,www.*.co.nz
The following firewall rule blocks all DNS lockups to DNS names matching the above list:
block out break end on ppp 1 proto udp dnslist gglist from any to
any port=dns
[ip-range]
The range of IP addresses and ports to match upon and may be specified in one of several ways.
The basic syntax is:
ip-range="all" | "from" ip-object "to" ip-object [flags] [icmp]
where ip-object is an IP address specification. For full details of the syntax with examples, see
Specifying IP addresses and
[inspect-state]
Creates rules for stateful inspection. This is a powerful option in which the firewall script
includes rules that allow the router to keep track of a TCP/UDP or ICMP session and therefore to
only pass packets that match the state of a connection.
Additionally, the [inspect state] field can specify an optional OOS (Out Of Service) parameter.
This parameter allows the router to mark any route as being out-of-service for a given period of
time in the event that the stateful inspect engine has detected an error.
A full description of how the [inspect state] field works is given below under the heading
Stateful Inspection Settings
Digi TransPort WR Routers User Guide
Meaning
UDP packet
TCP packet
FTP packets regardless of port number
ICMP packet
decimal number matched to protocol type in IP header
ranges.
parameters.
Firewall
695