RUGGEDCOM ROX II
CLI User Guide
Section 5.17.14.2
Adding a Rule
To configure a rule for a firewall, do the following:
1.
Make sure the CLI is in Configuration mode.
2.
Add the rule by typing:
security firewall fwconfig firewall fwrule rule
Where:
• firewall is the name of the firewall
• rule is the name of the rule
3.
Configure the following parameter(s) as required:
NOTE
When applying new rules, previous traffic seen by the router might still be considered as having
valid connections by the connection tracking table. For instance:
a. A rule for the TCP and UDP protocols is applied.
b. The router sees both TCP and UDP traffic that qualifies for NAT.
c. The rule is then modified to allow only UDP.
d. The router will still see TCP packets (i.e. retransmission packets).
If required, reboot the router to flush all existing connection streams.
Parameter
iptype { iptype }
action { action }
source-zone-hosts { source-zone-hosts }
destination-zone-hosts { destination-zone-hosts }
log-level { log-level }
protocol { protocol }
source-ports { source-ports }
Adding a Rule
Description
Synopsis: { ipv4, ipv6, ipv4ipv6 }
Default: ipv4
Internet protocol type - use both when no addresses are used,
otherwise define IPv4 and IPv6 rules for each type of addresses
used.
Synopsis: { accept, drop, reject, continue, redirect, dnat-, dnat }
Default: reject
The final action to take on incoming packets matching this rule.
Synopsis: A string
(Optional) Add comma-separated host IPs to a predefined
source-zone.
Synopsis: A string
(Optional) Add comma-separated host IPs to the destination-zone
- may include :port for DNAT or REDIRECT.
Synopsis: { none, debug, info, notice, warning, error, critical,
alert, emergency }
Default: none
(Optional) Determines whether or not logging will take place and
at which logging level.
Synopsis: { tcp, udp, icmp, all } or a string
Default: all
The protocol to match for this rule.
Synopsis: A string
Default: none
Chapter 5
Setup and Configuration
291