Miscellaneous rules

Packet marking

Packet marking is used to mark packets going through the firewall. This can be used by external programs such as traffic shaping.

Rules for marking is specified through an array MARK. The syntax of mark rules are specified below as <mark>.

$\begin{grammar} <mark_value> ::= <int> \par <mark> ::= <zone> <mark_value> <proto_ip> \end{grammar}$

Packets originating from the current zone destined for the specified zone, and that matches the proto_ip are marked with the value <mark_value>.

Example

MARK[0]="ALL 1 tcp ALL 0.0.0.0/0=>0.0.0.0/0"

This rule will mark any packets leaving the current zone with mark value '1'.

Traffic monitoring

This rule is used to monitor traffic going into or leaving the current zone. Monitored packets are logged to the system log for later inspection.

Monitoring is done on a per ip basis. Only one entry can exist and is called WATCH_IP. The grammar is specified as <watch_ip>.

$\begin{grammar} <watch_ip> ::= <ip_address> <watch_ip> \vert <empty> \par\end{grammar}$

Example

WATCH_IP=''10.0.0.1 10.0.0.2''

Any packet going into or leaving the current zone either destined or originating from ip address 10.0.0.1 or ip address 10.0.0.2 are logged to the system log.

Denying communication to MAC addresses

Communication with machines having a specific MAC address can be prohibited. Due to the nature of Ethernet, only packets received from the offending machine can be prohibited.

To prohibit communication from a list of MAC addresses, a single variable MAC_DROP is used. The grammar is specified as mac_drop below.

$\begin{grammar} <mac_drop> ::= <mac_address> <mac_drop> \vert <empty> \end{grammar}$

Example

MAC_DROP=''12:23:34:45:56:67''

This will drop all packets originating from the internal zone from the machine with MAC address 12:23:34:45:56:67.

Denying communication to IP addresses

To deny communication to and from a machine in the zone, it is possible to specify a list of ip addresses whose packets are to be dropped.

This is specified by the variable IP_DROP. The grammar is specified below as <ip_drop>.

$\begin{grammar} <ip_drop_alt> ::= <ip_address> <ip_drop> \par <ip_drop> ::= <ip_drop_alt> \vert <empty> \end{grammar}$

Example

IP_DROP=''10.0.0.10''

This will drop all communication to and from a machine with ip address 10.0.0.10.

Clearing ECN bits from packets

Eexplicit congestion notification, RFC3168, was defined as an internet standard in September 2001. Unfortunatly many servers still drops all packets with the ECN bits set. As a work-arround for this problem, this option allows the specification of a list of servers that does not accept packets with the ECN bits set, and clears the bits.

The list of servers is specified by the variable ECN_REMOVE. The grammar is specified below as <ecn_remove>.

$\begin{grammar} <ip_drop_alt> ::= <ip_address> <ip_drop> \par <ecn_remove> ::= <ip_drop_alt> \vert <empty> \end{grammar}$

Example

ECN_REMOVE=''10.0.0.10''

This will strip off the ECN bits in all packets destined to the machine with ip address 10.0.0.10.

Anders Peter Fugmann 2004-02-26