Allied Telesis AT-WR4500 manual Property Description

Property Description

action (accept add-dst-to-address-list add-src-to-address-list drop jump log passthrough reject return tarpit; default: accept) - action to undertake if the packet matches the rule

accept - accept the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it

add-dst-to-address-list- adds destination address of an IP packet to the address list specified by address-listparameter

add-src-to-address-list- adds source address of an IP packet to the address list specified by address- list parameter

drop - silently drop the packet (without sending the ICMP reject message) jump - jump to the chain specified by the value of the jump-targetparameter log - each match with this action will add a message to the system log passthrough - ignores this rule and goes on to the next one

reject - reject the packet and send an ICMP reject message

return - passes control back to the chain from where the jump took place

tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)

address-list(name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-listor action=add-src-to-address-listactions. These address lists could be later used for packet matching

address-list-timeout(time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-listparameter. Used in conjunction with add-dst-to-address-listor add-src-to-address-listactions

00:00:00 - leave the address in the address list forever

chain (forward input output name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created

comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts

connection-bytes(integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection

0- means infinity, exempli gratia: connection-bytes=2000000-0means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit(integer,netmask) - restrict connection limit per address or address block connection-mark(name) - matches packets marked via mangle facility with particular connection mark connection-state(estabilished invalid new related) - interprets the connection tracking analysis data for a particular packet

estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection

invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets

new - a packet which begins a new TCP connection

related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)

connection-type(ftp gre h323 irc mms pptp quake3 tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port

content (text) - the text packets should contain in order to match the rule dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value

dst-address(IP address/netmask IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

dst-address-list(name) - matches destination address of a packet against user-defined address list dst-address-type(unicast local broadcast multicast) - matches destination address type of the IP packet, one of the: