Digi TransPort WR11 User Manual page 772

Configuring security
[options]
The [options] firewall script field defines several options that apply to packets matching the rule.
log
When the log option is specified, the router places an entry in the FWLOG.TXT file each time it
processes a packet that matches the rule. This log normally details the rule that was matched along
with a summary of the packet contents.
If the log option is followed by the body sub-option, the complete IP packet is entered into the
n
log file so when the log file is displayed, a more detailed decode of the IP packet is shown.
The log field can also be followed by a further sub-option that specifies a different type of log
n
output. This may either be snmp, syslog, or event. If snmp is specified, an SNMP trap
(containing similar information to the normal log entry), is generated when a packet matches
the rule. If syslog is specified, a syslog message is sent to the configured syslog manager IP
address. This message contains the same information as that entered into the log file, but in a
different format.
If the body option has also been specified, some of the IP packet information is also included.
n
The size of the syslog message is limited to a maximum of 1024 bytes.
n
The syslog message is sent with default priority value of 14, which expands out to a facility of
n
USER, and the priority INFO.
If event is specified, the log output is copied to the eventlog.txt pseudo-file and the
n
FWLOG.TXT file.
The event log entry contains the line number and hit count for the rule that caused the packet
n
to be logged.
For example, suppose your local network is on subnet 192.168.*.* and you want to block any packets
received on PPP 0 that were pretending to be on the local network, and log the receipt of any such
packets to the FWLOG.TXT file and to a syslog server. The filter rule is constructed as follows:
bl ock i n l og sysl og br eak end on ppp 0 f r om 192. 168. 0. 0/ 16 t o any
break
When specifying the break option, follow it with a user-defined label name or the predefined end
keyword. When followed by a label, the rule processor jumps to that label to continue processing.
When followed by the end keyword, rule processing is terminated and the packet is treated according
to the last matching rule. For example:
br eak ppp_l abel on ppp 0
# i nser t r ul e pr ocessi ng her e f or packet s t hat ar e not on ppp 0
br eak end
ppp_l abel :
# i nser t r ul e pr ocessi ng her e f or packet s t hat ar e on ppp 0
on
The interface to which the rule applies; must be followed by a valid interface name. For example, if you
were only interested in applying a particular rule to packets being transmitted or received by PPP 0,
you would include ppp 0 in the rule. Valid interface-names are eth n, tun n or ppp n, where n is the
instance number.
Digi TransPort® Routers User Guide
Firewall
772