Westermo MR Series User Manual

394

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

The optional [icmp-code] field can also be a decimal number representing the ICMP code of the
return ICMP packet but if the [icmp-type] is [unreach] then the code can also be one of the follow-
ing pre-defined text codes:

ICMP code

Meaning

net-unr

Network unreachable

host-unr

Host unreachable

proto-unr

Protocol unrecognised

port-unr

Port unreachable

needfrag

Needs fragmentation

srcfail

Source route fail

For example:

block return-icmp unreach in break end on ppp 0

This rule would cause the unit to return an ICMP Unreachable packet in response to all packets
received on PPP 0.

Instead of using the return-icmp option to return an ICMP packet, return-rst can be used to return
a TCP reset packet instead. This would only be applicable for a TCP packet. For example:

block return-rst in break end on eth 0 proto tcp from any to

10.1.2.0/24

This would return a TCP reset packet when the firewall receives a TCP packet on the Ethernet
interface 0 with destination address 10.1.2.*.

pass:

The pass action allows packets that match the rule to pass through the firewall.

pass-ifup:

The pass-ifup action allows outbound packets that match the rule to pass through the firewall
but only if the link is already active.

debug:

The debugaction causes the unit to tag any packets matching the rule for debug. This means that
for every matching rule that is encountered from this point in the script onwards, an entry will
be placed in the pseudo-file FWLOG.TXT.

dscp:

The dscp action causes any packets matching this rule to have its DSCP value adjusted accord-
ing to this rule. The DSCP value of a packet indicates the type of service required and is used
in conjunction with QOS (Quality of Service) functions. A decimal or hex number must follow
thedscp keyword to indicate the value that should be set.

vdscp:

The vdscp action is very similar to the dscp action as described above in that it adjusts the
DSCP value in a packet. The difference however is that this is a virtual change only which means
that the actual packet is not changed, and that the packet is processed as if it had the DSCP
value as indi cated. Like the dscp action, a decimal or hex number must follow.

[in-out]
The [in-out] field can be in or out and is used to specify whether the action applies to inbound or
outbound packets. When the field is left blank the rule is applied to any packet irrespective of its
direction.

[options]
The [options] field is used to define a number of options that may be applied to packets matching
the rule. These are: