263
6620-3201
13.3 Specifying IP Addresses and Ranges
The
ip-range
fi
eld of a
fi
rewall script rule identi
fi
es the IP address or range of addresses to which
the rule applies. The syntax for specifying an IP address range is:
ip-range = “all” | “from” ip-object “to” ip-object [ fl ags ] [ icmp ]
where:
ip-object = addr [port-comp | port-range
]
fl ags = “fl ags” { fl ags } [ !{ fl ags }
]
icmp = “icmp-type” icmp-type [ “code” decnum
]
addr = “any” | ip-addr[ “/”decnum ] [ “mask” ip-addr | “mask” hexnum
]
port-comp = “port” compare port-nu
m
port-range = “port” port-num “<>” | “><” port-nu
m
ip-addr = IP address in format nnn.nnn.nnn.nn
n
decnum = a decimal numbe
r
hexnum = a hexadecimal numbe
r
compare = “=” | “!=” | “<” | “<=” | “>” | “>=
”
port-num = service-name | decnu
m
service-name = “http” | “telnet” | “ftpdat” | “ftpcnt” | “pop3” | “ike” | “xot
”
| “sntp” | “smtp
”
In the above syntax de
fi
nition:
♦
items in quotes are keywords
♦
items in square brackets are optional
♦
items in curly braces are optional and can be repeated
♦
the vertical bar symbol (“
|
”) means “or”
An
ip-object
therefore consists of an IP address and an IP port speci
fi
cation, preceded by the
keyword
from
or
to
to de
fi
ne whether it is the source or destination address. The most basic form for
an
ip-object
is simply an IP address preceded by
from
or
to
. For example, to block all packets
destined for address 10.1.2.98 the script rule would be:
block out from any to 10.1.2.98
An
ip-object
can also be speci
fi
ed using an address mask. This is a way of describing which bits of
the IP address are relevant when matching. The script processor supports two formats for specifying
masks.
Method 1: The IP address is followed by a forward slash and a decimal number. The decimal number
speci
fi
es the number of signi
fi
cant bits in the IP address. For example, if you wanted to block all
packets in the range 10.1.2.* the rule would be:
block from any to 10.1.2.0/24
i.e. only the
fi
rst 24 bits of the address are signi
fi
cant.
Method 2: This same rule could be described another way using the mask keyword:
block from any to 10.1.2.0 mask 255.255.255.0
The IP address can also contain either “addr-ppp n” or “addr-eth n” where “n” is the
eth
or
ppp
instance number. In this case the rule is specifying that the IP address is that allocated to the PPP
interface or to the Ethernet interface. This is useful in the situation were IP addresses are obtained
automatically and therefore are not known by the author of the
fi
ltering rules. For example:
block in break end on ppp 0 from addr-eth 0 to any
