BarbWire Help
File
The main form can be used to match single IP addresses such
as 192.168.1.1. We could then match whole IP ranges, such
as our local networks or network segments behind the firewall.
The line would then look something like, for example, 192.168.0.0/24.
This would match all packets in the 192.168.0.x range. We
could also inverse the match with the preceding NOT.
If we would in other words use a match in the form of source
NOT 192.168.0.0/24 we would match all packets with a source
address not coming from within the 192.168.0.x range. The
default is to match all IP addresses.
This match is used to match packets based on their source
port. The source-port match can also be used to match a whole
range of ports in this fashion 22:80 for example. This example
would match all source ports between 22 and 80. If we omit
the first port specification, the port 0 is assumed to be
the one we mean. :80 would then match port 0 through 80. And
if the last port specification is omitted, port 65535 is assumed.
If we would write 22: we would in turn get a port specification
that tells us to match all ports from port 22 through port
65535.
If we inversed the port specification in the port range so
the highest port would be first and the lowest would be last,
the firewall will automatically reverses the inversion. If
a source port definition looked like 80:22, it would be understood
just the same as 22:80.
The inversion could also be used together with a port range
and would then look like NOT 22:80, which in turn would mean
that we want to match all ports but port 22 through 80.
Note that this match does not handle multiple separated ports
and port ranges. For more information about this, look at
the multiport match extension.
The destination match is used to match packets based on their
destination address or addresses. It works pretty much the
same as the source match and has the same syntax, except that
it matches based on where the packets are going.
The line would then look something like, for example, 192.168.0.0/24.
This would match all packets in the 192.168.0.x range. We
could also inverse the match with the preceding NOT.
If we would in other words use a match in the form of source
NOT 192.168.0.0/24 we would match all packets with a source
address not coming from within the 192.168.0.x range. The
default is to match all IP addresses.
This match is used to match TCP packets depending on its
destination port. It uses exactly the same syntax as the source-port
match. It understands port and port range specifications,
as well as inversions. It does also reverse high and low ports
in a port range specification if the high port went into the
first spot and the low port into the last spot. The match
will also assume the values of 0 or 65535 if the high or low
port is left out in a port range specification. In other words,
exactly the same as source-port in syntax.
Note that this match does not handle multiple separated ports
and port ranges. For more information about this, look at
the multiport match extension.
State
This match option tells the state match what states the packets
must be in to be matched. There is currently 4 states that
can be used. INVALID, ESTABLISHED, NEW and RELATED. INVALID
means that the packet is associated with no known stream or
connection and that it may contain faulty data or headers.
ESTABLISHED means that the packet is part of an already established
connection that has seen packets in both directions and is
fully valid. NEW means that the packet has or will start a
new connection, or that it is associated with a connection
that has not seen packets in both directions. Finally, RELATED
means that the packet is starting a new connection and is
associated with an already established connection. This could
for example mean an FTP data transfer, or an ICMP error associated
with an TCP or UDP connection for example. Note that the NEW
state does not look for SYN bits in TCP packets trying to
start a new connection and should, hence, not be considered
very good in cases where we have only one firewall and no
load balancing between different firewalls. However, there
may be times where this could be useful. For more information
on how this could be used, read in the future chapter on the
state machine.
Multiport match
The multiport match extension can be used to specify port
ranges, which would sometimes mean you would have to make
several rules looking exactly the same just to match different
ports.
A maximum of 15 separate ports may be specified. The ports
must be comma delimited. This match may only be used in conjunction
with the tcp or udp matches. Match extension can be used to
match packets based both on their destination port and their
source port.
Note that this means that it will only match packets that
comes from, for example, port 80 to port 80 and if you have
specified port 80 to the port match.
MAC match
This match is used to match packets based on their MAC source
address. The MAC address specified must be in the form XX:XX:XX:XX:XX:XX,
else it will not be legal. The match may be reversed with
an ! sign and would look like ! 00:00:00:00:00:01. This would
in other words reverse the meaning of the match so all packets
except packets from this MAC address would be matched.
Note that since MAC addresses are only used on ethernet type
networks, this match will only be possible to use on ethernet
based networks. This match is also only valid in the PREROUTING,
FORWARD and INPUT chains and nowhere else.
|
ontact Details: