Digi TransPort WR31 User Manual page 701

Configure security settings
Specifying IP addresses and ranges
The ip-range field of a firewall script rule identifies the IP address or range of addresses to which the
rule applies. The syntax for specifying an IP address range is:
ip-range = "all" | "from" ip-object "to" ip-object [ flags ] [ icmp ]
where:
ip-object = addr [port-comp | port-range]
flags = "flags" { flags } [ !{ flags } ]
icmp = "icmp-type" icmp-type [ "code" decnum ]
addr = "any" | ip-addr[ "/"decnum ] [ "mask" ip-addr | "mask" hexnum ]
port-comp = "port" compare port-num
port-range = "port" port-num "<>" | "><" port-num
ip-addr = IP address in format nnn.nnn.nnn.nnn
decnum = a decimal number
hexnum = a hexadecimal number
compare = "=" | "!=" | "<" | "<=" | ">" | ">="
port-num = service-name | decnum
service-name = "http" | "telnet" | "ftpdat" | "ftpcnt" | "pop3" |
"ike" | "xot"| "sntp" | "smtp"
In the above syntax definition:
Items in quotes are keywords.
▪
Items in square brackets are optional.
▪
Items in curly braces are optional and can be repeated.
▪
The vertical bar symbol ("|") means or.
▪
An ip-object consists of an IP address and an IP port specification, preceded by the keyword from or
to define whether it is the source or destination address. The most basic form for an ip-object is an
IP address preceded by from or to. For example, to block all packets destined for address 10.1.2.98
the script rule is:
block out from any to 10.1.2.98
You can specify an ip-object using an address mask, describing which bits of the IP address are
relevant when matching. The script processor supports two formats for specifying masks:
Method 1: The IP address is followed by a forward slash and a decimal number. The decimal
▪
number specifies the number of significant bits in the IP address. For example, if you wanted to
block all packets in the range 10.1.2.* the rule would be:
block from any to 10.1.2.0/24
such as, only the first 24 bits of the address are significant.
Method 2: This same rule could be described another way using the mask keyword:
▪
block from any to 10.1.2.0 mask 255.255.255.0
The IP address can also contain either addr-ppp n or addr-eth n, where n is the eth or ppp instance
number. In this case, the rule specifies that the IP address is that allocated to the PPP interface or to
the Ethernet interface. This is useful when IP addresses are obtained automatically and therefore
are not known by the author of the filtering rules. For example:
block in break end on ppp 0 from addr-eth 0 to any
Digi TransPort WR Routers User Guide
Firewall
696