259
6620-3201
block:
The
block
action prevents a packet from being allowed through the
fi
rewall. When block is speci
fi
ed
an optional
fi
eld can be included that will cause an ICMP packet to be returned to the interface from
which that packet was received. This technique is sometimes used to confuse hackers by having
different responses to different packets or for fooling an attacker into thinking a service is not present
on a network.
The syntax for specifying the return of an ICMP packet is:
“return-icmp” [icmp-type [icmp-code]]
where
[icmp_type]
is a decimal number representing the ICMP type or can be one of the pre-
de
fi
ned text codes listed in the following table:
ICMP type value
ICMP type
1 Unreach
2 Echo
3 Echorep
4 squench
5 redir
6 timex
7 paraprob
8 timest
9 timestrap
10 inforeq
11 inforep
12 maskreg
13 maskrep
14 routerad
15 routersol
The optional
[icmp-code]
fi
eld can also be a decimal number representing the ICMP code of the
return ICMP packet but if the
[icmp-type]
is
[unreach]
then the code can also be one of the
following pre-de
fi
ned text codes:
ICMP code
Meaning
net-unr Network
unreachable
host-unr Host
unreachable
proto-unr
Protocol unrecognised
port-unr
Port unreachable
needfrag Needs
fragmentation
srcfail
Source route fail
For example:
block return-icmp unreach in on ppp 0
This rule would cause the unit to return an ICMP Unreachable packet in response to all packets
received on PPP 0.
Instead of using the
return-icmp
option to return an ICMP packet,
return-rst
can be used to
return a TCP reset packet instead. This would only be applicable for a TCP packet. For example:
block return-rst in on eth 0 proto tcp from any to 10.1.2.0/24
This would return a TCP reset packet when the
fi
rewall receives a TCP packet on the Ethernet
interface 0 with destination address 10.1.2.*.
pass:
The pass action allows packets that match the rule to pass through the
fi
rewall.
