Firewall rule language

A firewall rule consists of several statements (or clauses) that define the traffic for which the rule applies. When you manually create firewall rules for the Network IPS appliance, use clauses, conditions, and expressions.

Firewall clauses

A firewall rule consists of several clauses that are chained together to match specific criteria for each packet. The clauses represent specific layers in the protocol stack. Each clause can be broken down into conditions and expressions. The expressions are the variable part of the rule in which you put the address, port, or numeric parameters.

Table 1. Firewall clauses
Clause Description Examples
Adapter clause Specifies a set of adapters from A through P that attaches the rule to a specific adapter. The adapter clause indicates a specific adapter where the rule is applied. The supported adapter expressions are any and the letters A through P. If you do not specify an adapter clause, the rule matches packets on any adapter. adapter <adapter-id>

adapter A

adapter any

adapter A,C

adapter A-C
Ethernet clause Specifies either a network protocol type or virtual LAN (VLAN) identifier to match the 802.1 frame.

You can use the Ethernet clause to filter 802.1q VLAN traffic or allow/deny specific types of Ethernet protocols. You can find the list of protocol types at the Internet Assigned Numbers Authority (IANA) site.

Ethernet protocol constants can be specified in decimal, octal, hexadecimal, or alias notation. To make it easier to block specific types of Ethernet traffic, you can specify an alias instead of the well-known number. In some cases, the alias blocks more than one port (for example, IPX and PPPoE).

 ether proto <protocol-id>

ether proto {arp|aarp|atalk|ipx|mpls|netbui|pppoe|rarp|sna|xns}

ether vid <vlan-number>

ether vid <vlan-number> proto <protocol-id>

ether vid 1 proto 0x0800

ether vid 2 proto 0x86dd

ether vid 3-999 proto 0x0800,0x86dd
IPv4 datagram clause Specifies IPv4 addresses and the transport level filtering fields such as TCP/UDP source or destination ports, ICMP type or code, or a specific IP protocol number.

The IP datagram clause identifies the protocol and the protocol-specific conditions that must be satisfied in order for the statement to match. Currently, only ICMP, TCP, and UDP conditions are supported, but you can specify filters that are based on any IP protocol. If you do not specify an IP datagram clause, the statement matches any IP datagram protocol.

The first and second statements block IP packets that match the IP address expression. The third statement blocks IP packets that match the IP address expression. The fourth statement blocks IP packets that match the protocol type. The fifth statement is a combination of the first and second statements. The sixth statement is a combination of the first, second, and fourth statements.
  1. ip src addr <ipv4-addr>
  2. ip dst addr <ipv4-addr>
  3. ip addr <ipv4-addr>
  4. ip proto <protocol-type>
  5. ip src addr <ipv4-addr> dst addr <ipv4-addr>
  6. ip src addr <ipv4-addr> dst addr <ipv4-addr> proto <protocol-type>

Examples:

ip addr 192.168.10.1/24
ip addr 192.168.10.0-192.168.10.255
IPv6 datagram clause The IPv6 datagram clause identifies the protocol and the protocol-specific conditions that must be satisfied in order for the statement to match. Currently, only ICMPv6, TCP, and UDP conditions are supported, but filters can be specified based on any IPv6 protocol. If no IPv6 datagram clause is specified, the statement matches any IPv6 datagram protocol.

The first and second statements block source and destination IPv6 packets that match the IPv6 address expression. The third statement blocks source or destination IPv6 packets that match the IPv6 address expression. The fourth statement blocks IPv6 packets that match the protocol type. The fifth statement is a combination of the first and second statements. The sixth statement is a combination of the first, second, and fourth statements.
  1. ipv6 src addr <ipv6-addr>
  2. ipv6 dst addr <ipv6-addr>
  3. ipv6 addr <ipv6-addr>
  4. ipv6 proto <protocol-type>
  5. ipv6 src addr <ipv6-addr> dst addr <ipv6-addr>
  6. ipv6 src addr <ipv6-addr> dst addr <ipv6-addr> proto <protocol-type>
ipv6 addr FF01:0:0:0:0:0:0:101
ipv6 addr 12AB:0:0:CD30::/60
ipv6 addr FF01::101-FF01:0:0:0:0:0:0:200

Firewall conditions

Table 2. Firewall conditions
Condition Description Examples
TCP and UDP conditions Specify TCP and UDP port numbers in decimal, octal, or hexadecimal notation. The value range is 0 through 65535. tcp src port <tcp-udp-port>

tcp dst port <tcp-udp-port>

tcp dst port <tcp-udp-port> src port <tcp-udp-port>

upd src port <tcp-udp-port>

upd dst port <tcp-udp-port>

udp dst port <tcp-udp-port> src port <tcp-udp-port>
ICMP conditions Specify ICMP conditions in decimal, octal, or hexadecimal notation. You can find the valid number for type and code at the Internet Assigned Numbers Authority (IANA) site. icmp type <protocol-type>

icmp code <message-code>

icmp type <protocol-type> code <message-code>
ICMPv6 conditions Specify ICMPv6 conditions in decimal, octal, or hexadecimal notation. You can find the valid number for type and code at the Internet Assigned Numbers Authority (IANA) site. icmpv6 type <protocol-type>

icmpv6 code <message-code>

icmpv6 type <protocol-type> code <message-code>

Expressions

An expression describes a list of header values that must match the protocol parser of the clause. Each clause is directly responsible for matching a specific layer in the protocol stack. The syntax and accept range of values is controlled by the clause. The expression can be a single value, a comma-separated list of values, or a range set. Expressions specify the following values:
  • Adapter numbers
  • IPv4 addresses
  • IPv6 addresses
  • TCP and UDP port numbers
  • ICMP message type and codes
  • ICMPv6 message type and codes
  • IP datagram protocol numbers

Examples:

<value>
<value>, <value>
<value> - <value>

Expressions that begin with an exclamation mark (!) are called not-expressions. Not-expressions match all values except those values that you specify. Not-expressions that do not match any values generate an error.

IPv4 address expression examples

The <n> can be either hex or decimal number in a range from 0 to 255. All hex numbers must use a 0x prefix.

Table 3. IPv4 address syntax
Example Description
n.n.n.n Single address
n.n.n.n, n.n.n.n Address list
n.n.n.n/<netmask> Specific address that uses CIDR format; netmask value must range from 1 to 32
n.n.n.n - n.n.n.n Address range, where the first value is smaller than last

IPv6 address expression examples

The <n> must be a hexadecimal digit (0 - F). Reduce any four-digit group of zeros within an IPv6 address to a single zero or omit altogether.

Table 4. IPv6 address syntax
Example Description
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn Single address
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn, nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn Address list
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn/<prefix> Specific address that uses CIDR format; prefix value must range from 1 to 128
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn - nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn Address range, where the first value is smaller than last

TCP/UDP ports, protocol identifiers, or numbers

The values that are listed for any constant must be within the fields required range; otherwise the parser refuses the parse clause.

0xFFFF
65535
0, 1, 2
0 - 2
!(3 - 65535)

Parent topic: Reference for Network IPS appliances
Related tasks:
Configuring the firewall
Reviewing firewall logs
Related reference:
Default tuning parameters
Firewall rule syntax
Firewall rule examples