Your firewall should drop packets based on criteria like the protocol of a packet or its destination address. The default policy is to accept a packet. Explicit rules specify which packets should be dropped.
The syntax of a rule looks as follows:
<queue>: <protocol> <src address> <src port> -> <dst address> <dst_port> \
(<rule options>)
For example, the rule
input: tcp 1.2.3.4 any -> 5.6.7.8 80 (flags: SF; ttl: 30)specifies that all TCP packets from any port on 1.2.3.4 to port 80 on 5.6.7.8 should be dropped in input filtering, if they have the SYN and FIN flag set and a TTL value of 30.
The keyword any can be given for addresses, ports, and the protocol. For port numbers, a range of port numbers is permitted. For example, 80:100 will match on ports between 80 and 100.
Possible values for <queue> are input, output, or forward. The value specifies the queue to which a filter should be applied.
Possible values for <protocol> are tcp, udp, and icmp.
Rule options are optional. They match on particular fields in the IP or TCP header. The exact header layout can be retrieved from RFC 791 [1] and RFC 793 [3], respectively. All rule options are separated from each other using the semicolon ";" character. Rule option keywords are separated from their arguments with a colon ":" character.
The following rule options apply to fields in the IP header:
| ttl: <number>; | Time to Live |
| id: <number>; | Identification |
| dsize [>|<] <number>; | Total Length (The greater/less than signs can be used to indicate ranges |
| and are optional.) |
The following rule options apply to fields in the TCP header:
| seq: <number>; | Sequence Number |
| ack: <number>; | Acknowledgment Number |
| flags: <flag values>; | TCP Flags |
The flags rule tests the TCP flags for a match. There are six flags variables: S (SYN), F (FIN), R (RST), P (PSH), A (ACK), and U (URG). There are also logical operators that can be used to specify matching criteria for the indicated flags: + (ALL flag, match on all specified flags plus any others), * (ANY flag, match on any of the specified flags), and ! (NOT flag, match if the specified flags are not set in the packet). For example, flags: SF* matches on all packets that have at least either the SYN or FIN bit set. There can be at most one logical operator. If no logical operator is given, there has to be an exact match between the flags in the packet and the flags specified in the filter.