258
6620-3201
13 Firewall scripts
13.1 Introduction
A “
fi
rewall” is a protection system designed to prevent access to your local area network by
unauthorised “external” parties, i.e. other users of the internet or another wide area network. It
may also limit the degree of access local users have to external network resources. A
fi
rewall does
not provide a complete security solution; it provides only one element of a fully secure system.
Consideration should also be given to the use of user authentication and data encryption. Refer to the
IPSec section for further information.
In simple terms, a
fi
rewall is a packet
fi
ltering system that allows or prevents the transmission of data
(in either direction) based on a set of rules. These rules can allow
fi
ltering based on the following
criteria:
♦
source and destination IP addresses
♦
source and destination IP port or port ranges
♦
type of
protocol in use
♦
direction of the data (in or out)
♦
interface type
♦
the eroute the packet is on
♦
if an
interface is OOS (out of service)
♦
ICMP message type
♦
TCP
fl
ags (SYN, ACK, URG, RESET, PUSH,
FIN)
♦
TOS
fi
eld
♦
status of a link and/or data packets on UDP/TCP and ICMP protocols
In addition to providing comprehensive
fi
ltering facilities, Westermo routers also allow you to specify
rules relating to the logging of information for audit/debugging purposes. This information can be
logged to a pseudo-
fi
le on the unit called FWLOG.TXT, the EVENTLOG.TXT pseudo-
fi
le or to a
syslog server. It can also be used to generate SNMP traps.
13.2 Firewall Script Syntax
A
fi
rewall must be individually con
fi
gured to match the needs of authorised users and their
applications. On Westermo routers the rules governing
fi
rewall behaviour are de
fi
ned in a script
fi
le
called FW.TXT. Each line in this
fi
le consists of a label de
fi
nition, a comment or a
fi
lter rule.
13.2.1 Labels
A label de
fi
nition is a string of up to 12 characters followed by a colon. Labels can only include letters,
digits and the underscore character and are used in conjunction with the break option to cause the
processing of the script to jump to a new location.
13.2.2 Comments
Any line starting with the hash character (“#”) is deemed to be a comment and ignored.
13.2.3 Filter Rules
The syntax for a
fi
lter rule is:
[action] [in-out] [options] [tos] [proto] [dnslist] [ip-range] [inspect-state]
When the
fi
rewall is active, the script is processed one line at a time as each packet is received or
transmitted. Even when a packet matches a
fi
lter-rule, processing still continues and all the other
fi
lter rules are checked until the end of the script is reached. The action taken with respect to a
particular packet is that speci
fi
ed by the last matching rule. With the
break
option however the script
processing can be redirected to a new location or to the end of the script if required. The default
action that the
fi
rewall assigns to a packet is to block. This means that if the packet does not match
any of the rules it will be blocked.
The various
fi
elds of a script rule are described below:
[action]
The
[action]
fi
eld may be speci
fi
ed as
block
,
pass
,
pass-ifup
,
dscp
,
vdscp
or
debug
. These
operate as follows:
