Digi TransPort WR11 User Manual page 791

Configuring security
incoming packets will have their ACK bits set. Only the first packet establishing the connection will
have the ACK bit off. The filter rules to do this would look like this:
pass out br eak end f r om 10. 1. 2. 33 por t >1023 t o any por t =t el net
pass i n br eak end f r om any por t =t el net t o 10. 1. 2. 33 por t >1023 f l ags ! a
The first rule allows the outward connections, and the second rule allows the response packets back
in which the ACK flag must always be on. This second rule will filter out any packets that do not have
the ACK flag on. This will bar any attackers from trying to open connections onto the private network
by simply specifying the source port as the Telnet port. Note that there is a simpler way to achieve the
same effect using the inspect state option, described below.
Filter on ICMP codes
An ip-object can be followed by an optional [icmp] field.
[icmp]
Allows the script to filter packets based on ICMP codes. ICMP packets are occasionally employed to
debug and diagnose a network and can be extremely useful. However, they form part of a low-level
protocol and are frequently exploited by hackers for attacking networks. For this reason, most
network administrators want to restrict the use of ICMP packets.
The syntax for including ICMP filtering is:
i cm p = " i cm p- t ype" i cm p- t ype [ " code" decnum ]
icmp-type
Is one of the pre-defined strings listed in the following table or the equivalent decimal numeric value:
ICMP type
Unreach
Echo
Echorep
Squench
Redir
Timex
Paramprob
Timest
Timestrep
Inforeq
Inforep
Maskreq
Maskrep
Digi TransPort® Routers User Guide
ICMP value
3
8
0
4
5
11
12
13
14
15
16
17
18
Firewall
791