Westermo MR Series User Manual

395

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

log:

When the log option is specified, the unit will place an entry in the FWLOG.TXT file each
time it processes a packet that matches the rule. This log will normally detail the rule that was
matched along with a summary of the packet contents. If the log option is followed by the body
sub-option, the complete IP packet is entered into the log file so that when the log file is dis-
played, a more detailed decode of the IP packet is shown.

The log field may also be followed by a further sub-option that specifies a different type of log
out

put. This may either be snmp, syslog or event.
If snmp is specified an SNMP trap (containing similar information to the normal log entry), is
gener ated when a packet matches the rule.
If syslog is specified, a syslog message is sent to the configured syslog manager IP address. This
message will contain the same information as that entered into the log file, but in a different
format. If the body option has been specified, some of the IP packet information is also included.
Note that the size of the syslog message is limited to the maximum of 1024 bytes. The syslog
message is sent with default priority value of 14, which expands out to facility of USER, and pri-
ority INFO.

If event is specified the log output will be copied to the EVENTLOG.TXT pseudo-file as well
as the FWLOG.TXT file. The event log entry will contain the line number and hit count for the
rule that caused the packet to be logged.

Example:

Say your local network is on subnet 192.168.*.* and you want to block any packets received
on PPP 0 that were “pretending” to be on the local network and log the receipt of any such
packets to the FWLOG.TXT file and to a syslog server. The filter rule would be constructed as
follows:

block in log syslog break end on ppp 0 from 192.168.0.0/16 to

any

break:

When the break option is specified it must be followed by a user-defined label name or the pre-
defined end keyword. When followed by a label, the rule processor will “jump” to that label to
con tinue processing. When followed by the end keyword rule processing will be terminated and
the packet will be treated according to the last matching rule.

Example:

break ppp_label on ppp 0

# insert rule processing here for packets that are not on ppp 0

break end

ppp_label:

# insert rule processing here for packets that are on ppp 0

on:

The on option is used to specify the interface to which the rule applies and must be followed
by a valid interface name. For example, if you were only interested in applying a particular rule
to pack ets being transmitted or received by PPP 0, you would include on ppp 0 in the rule. Valid
inter face-names are either eth n, tun n or ppp n, where n is the instance number.

oneroute:

The oneroute option is used to specify that a rule will only match packets associated with the
specified eroute. For example, including the option oneroute 2 would cause the rule to only
match on packets transmitted or received over Eroute 2. The oneroute option can be followed
with the keyword any, which will match if the packet is on any eroute.

routeto:

When the routeto option is specified and the firewall is processing a received packet, if the rule
is the last matching rule, then the packet is tagged as being required to be routed to the speci-
fied interface.

For example:

pass in break end routeto eth 1 from 10.1.0.0/16 to 1.2.3.4

port=telnet

would ensure that all packets from 10.1.*.* to 1.2.3.4 on the telnet port are all routed to ETH 1