Manualshelf

User manual

ManualsBrandsAlvarion ManualsNetworkingBreezeNET B300 GigE
191192193194195196197198199200
Chapter 4 - Layer 3 Command Set - IP Networking Ipfw Command (IP Firewall)
Alvarion BreezeNET B130/B300 GigE 181 Operational User Manual
Our first example will be a filter prohibiting passage of any packet from some
"unreliable" address 1.1.1.1 to the address 2.2.2.2:
ipfw add reject all from 1.1.1.1 to 2.2.2.2
As enemies often attack in unite front, let us now bar the way to all packets from
the whole hostile network:
ipfw add reject all from 1.1.1.0/24 to 2.2.2.2
Here 24 after the slash means the mask length in number of bits. The mask
length of 24 corresponds to a C class network with 256 different node addresses.
Using a colon sign (":"), the same command may be equally expressed as follows:
ipfw add reject all from 1.1.1.1:255.255.255.0 to 2.2.2.2
We can go even further, stopping all packets sent from the enemy network to any
address (provided of course that they pass through our device):
ipfw add reject all from 1.1.1.0/24 to 0/0
Filtering by port numbers
Now suppose that we want to authorize everybody to address an smtp service
(mail agent) at the host with IP address 192.5.42.1. It may be done with the
following command:
ipfw add accept tcp from 0/0 to 192.5.42.1 25
The tcp keyword means that the filter will be applied to TCP packets only. The
IP-address of the mail host machine is followed by the port number 25,
corresponding to the SMTP service.
You can use a port list to specify several ports in the same command. The first
element in a list may be an interval of port numbers, specified by its lowest and
highest values separated by a colon. For example, the following command
ipfw add accept tcp from 0/0 to 1.1.1.1 900:5000 25 113
will authorize passage of tcp packets sent to the IP address 1.1.1.1, if the
destination port number is within the 900 to 5000 interval (including both
extreme values), or is equal to 25 (smtp) or 113 (ident).
All the subnetworks of the inner network, including the innerhost address, belong
to the same network (or group of network). Suppose that we know for certain that
there may not be any host in the outer network having an address within the
inner network's address range. Therefore, any packet received from the rf5.0
interface of a device running ipfirewall, hence from the outer network, but having
the source address within the inner network's address range, must be discarded.
It is done by the following command: