Static filter rules

Edit online

Each static filter rule contains space-separated fields.

The following list provides the name of each field in a static filter rule followed by an example from rule 1 in parentheses:

  • Rule_number (1)
  • Action (permit)
  • Source_addr (0.0.0.0)
  • Source_mask (0.0.0.0)
  • Dest_addr (0.0.0.0)
  • Dest_mask (0.0.0.0)
  • Source_routing (no)
  • Protocol (udp)
  • Src_prt_operator (eq)
  • Src_prt_value (4001)
  • Dst_prt_operator (eq)
  • Dst_prt_value (4001)
  • Scope (both)
  • Direction (both)
  • Logging (no)
  • Fragment (all packets)
  • Tunnel (0)
  • Interface (all).
Example of static filter rules
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
   packets 0 all

2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both both no all packets
   0 all

3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both both no all packets
   0 all

4 permit 10.0.0.1 255.255.255.255 10.0.0.2 255.255.255.255 no all any 0 any 0 both
   outbound no all packets 1 all outbound traffic

5 permit 10.0.0.2 255.255.255.255 10.0.0.1 255.255.255.255 no all any 0 any 0 both
   inbound no all packets 1 all


6 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp lt 1024 eq 514 local
   outbound yes all packets 2 all


7 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 514 lt 1024
   local inbound yes all packets 2 all


8 permit 10.0.0.1 255.255.255.255 10.0.0.3 255.255.255.255 no tcp/ack lt 1024 lt 1024
   local outbound yes all packets 2 all


9 permit 10.0.0.3 255.255.255.255 10.0.0.1 255.255.255.255 no tcp lt 1024 lt 1024 local
   inbound yes all packets 2 all


10 permit 10.0.0.1 255.255.255.255 10.0.0.4 255.255.255.255 no icmp any 0 any 0 local
   outbound yes all packets 3 all


11 permit 10.0.0.4 255.255.255.255 10.0.0.1 255.255.255.255 no icmp any 0 any 0 local
   inbound yes all packets 3 all


12 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 eq 21 local
   outbound yes all packets 4 all


13 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack eq 21 gt 1023 local
   inbound yes all packets 4 all


14 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp eq 20 gt 1023 local
   inbound yes all packets 4 all


15 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp/ack gt 1023 eq 20 local
   outbound yes all packets 4 all


16 permit 10.0.0.1 255.255.255.255 10.0.0.5 255.255.255.255 no tcp gt 1023 gt 1023 local
   outbound yes all packets 4 all


17 permit 10.0.0.5 255.255.255.255 10.0.0.1 255.255.255.255 no tcp/ack gt 1023 gt 1023 local
   inbound yes all packets 4 all


18 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no all any 0 any 0 both both yes all
   packets

Each rule in the previous example is described as follows:

Rule 1
For the Session Key daemon. This rule only appears in IP Version 4 filter tables. It uses port number 4001 to control packets for refreshing the session key. Rule 1 an example of how the port number can be used for a specific purpose.
Note: Do not modify this filter rule, except for logging purposes.
Rules 2 and 3
Allow processing of authentication headers (AH) and encapsulating security payload (ESP) headers.
Note: Do not modify Rules 2 and 3, except for logging purposes.
Rules 4 and 5
Set of autogenerated rules that filter traffic between addresses 10.0.0.1 and 10.0.0.2 through tunnel 1. Rule 4 is for outbound traffic, and rule 5 is for inbound traffic.
Note: Rule 4 has a user-defined description of outbound traffic.
Rules 6 through 9
Set of user-defined rules that filter outbound rsh, rcp, rdump, rrestore, and rdist services between addresses 10.0.0.1 and 10.0.0.3 through tunnel 2. In this example, logging is set to Yes, so that the administrator can monitor this type of traffic.
Rules 10 and 11
Set of user-defined rules that filter both inbound and outbound icmp services of any type between addresses 10.0.0.1 and 10.0.0.4 through tunnel 3.
Rules 12 through 17
User-defined filter rules that filter outbound file transfer protocol (FTP) service from 10.0.0.1 and 10.0.0.5 through tunnel 4.
Rule 18
Autogenerated rule always placed at the end of the table. In this example, it permits all packets that do not match the other filter rules. It can be set to deny all traffic not matching the other filter rules.

Each rule can be viewed separately (using lsfilt) to list each field with its value. For example:

Rule 1:
Rule action          : permit
Source Address       : 0.0.0.0
Source Mask          : 0.0.0.0
Destination Address  : 0.0.0.0
Destination Mask     : 0.0.0.0
Source Routing       : yes
Protocol             : udp
Source Port          : eq  4001
Destination Port     : eq  4001
Scope                : both
Direction            : both
Logging control      : no
Fragment control     : all packets
Tunnel ID number     : 0
Interface            : all
Auto-Generated       : yes

The following list contains all the parameters that can be specified in a filter rule:

-v
IP Version: 4 or 6.
-a
Action:
d
Deny
p
Permit
-s
Source address. Can be an IP address or hostname.
-m
Source subnet mask.
-d
Destination address. Can be an IP address or hostname.
-M
Destination subnet mask.
-g
Source routing control: y or n.
-c
Protocol. Values can be udp, icmp, tcp, tcp/ack, ospf, pip, esp, ah and all.
-o
Source port or ICMP type operation.
-p
Source port or ICMP type value.
-O
Destination port or ICMP code operation.
-P
Destination port or ICMP code value.
-r
Routing:
r
Forwarded packets.
l
Local destined/originated packets.
b
Both.
-l
Log control.
y
Include in log.
n
Do not include in log.
-f
Fragmentation.
y
Applies to fragments headers, fragments, and non-fragments.
o
Applies only to fragments and fragment headers.
n
Applies only to non-fragments.
h
Applies only to non-fragments and fragment headers.
-t
Tunnel ID.
-i
Interface, such as tr0 or en0.

For more information, see the genfilt and chfilt command descriptions.