Digi TransPort WR11 User Manual page 786

Configuring security
Specifying IP addresses and ranges in firewall rules
ip-range
The ip-range field of a firewall script rule identifies the IP address or range of addresses to which the
rule applies. The syntax for specifying an IP address range is:
i p- r ange = " al l " | " f r om " i p- obj ect " t o" i p- obj ect [ f l ags ] [ i cm p ] [ i cm pv6]
where:
i p- obj ect = addr [ por t - c om p | por t - r ange]
f l ags = " f l ags " { f l ags } [ ! { f l ags } ]
i cm p = " i c m p- t y pe" i c m p- t y pe [ " c ode" dec num ]
addr = " any " | i p- addr | i pv 6- addr | i pv 6- hos t | addr 6- et h | addr 6- ppp [
" / " dec num ] [ " m as k " i p- addr | " m as k " hex num ]
por t - com p = " por t " c om par e por t - num
por t - r ange = " por t " por t - num " <>" | " ><" por t - num
i p- addr = I P addr es s i n f or m at nnn. nnn. nnn. nnn
decnum = a dec i m al num ber
hexnum = a hex adec i m al num ber
com par e = " =" | " ! =" | " <" | " <=" | " >" | " >="
por t - num = s er v i c e- nam e | dec num
ser vi ce- nam e = " ht t p" | " t el net " | " f t pdat " | " f t pcnt " | " pop3" | " i ke"
| " x ot " | " s nt p" | " s m t p"
In the above syntax definition:
Items in quotes are keywords.
n
Items in square brackets are optional.
n
Items in curly braces are optional and can be repeated.
n
The vertical bar symbol ("|") means or.
n
ip-object
An ip-object consists of an IP address and an IP port specification, preceded by the keyword from or
to define whether it is the source or destination address. The most basic form for an ip-object is an IP
address preceded by from or to. For example, to block all packets destined for address 10.1.2.98 the
script rule is:
bl ock out f r om any t o 10. 1. 2. 98
You can specify an ip-object using an address mask, describing which bits of the IP address are
relevant when matching. The script processor supports two formats for specifying masks:
Method 1: The IP address is followed by a forward slash and a decimal number. The decimal
n
number specifies the number of significant bits in the IP address. For example, if you wanted to
block all packets in the range 10.1.2.* the rule would be:
bl ock f r om any t o 10. 1. 2. 0/ 24
such as, only the first 24 bits of the address are significant.
Digi TransPort® Routers User Guide
Firewall
786