Efficient Networks 107-0001-000 manual Dp Icmp type first dest portlast dest port

-dp <ICMP type> <first dest port>[:<last dest port>]

The packet must have a destination port that matches the specified ICMP type or that is within the specified port range. If only one port is specified, the packet must have that destination port. If no destination port is specified, the filter matches any destination port in the range 0:0xffff.

-tcp syn ack noflag rst

If the IP packet is a TCP packet, the filter matches the packet only if the packet flag settings are as specified. If no -tcpoption is specified for the filter, flag settings are not checked.

NOTE:

More than one -tcp option may be specified for the IP filter.

The syn, ack, and noflag settings work together as follows:

•Specify -tcp syn if the TCP SYN flag must be set.

•Specify -tcp ack if the TCP ACK flag must be set

•Specify -tcp noflag if neither the SYN flag nor the ACK flag can be set.

For example, for the IP filter to match the initiation of a TCP connection, specify -tcp syn. The filter will match TCP packets that have the TCP SYN flag set but not the TCP ACK flag set. For the filter to match the response to initiation of a TCP connection, specify -tcp syn and -tcp ack. The filter will match only TCP packets with both the TCP SYN and TCP ACK flags set.

The -tcp rst setting is independent of the others; if you specify -tcp rst for the filter, the filter matches every TCP packet with the TCP RESET flag set, regardless of the other flag settings. For example, for the filter to match packets for “established” connections, you would specify both -tcp rst and -tcp ack so that the filter is applied to every TCP packet that has either the RESET flag or the ACK flag set.

The following <parameter>s request additional filter options.

-b

This option requests that this filter be compared twice with each packet. The first time the source filter information is matched against the source information in the IP packet and the destination filter information is matched against the destination information in the IP packet. The second time the source filter information is matched against the destination information in the IP packet and the destination fil- ter information is matched against the source information in the IP packet.

-c <count of times rule used>

This option requests a counter for this filter. If specified, a count is kept of how many IP packets have matched this filter since the router was rebooted. To see the current count for a filter, use the eth ip filter list command. To clear a counter, use the eth ip filter clear command.

-ipsec <IPSec record name>

Use this option when the action specified is inipsec or outipsec. It specifies the IP- Sec Security Association that uses the filter.