Reference Manual

NAME

setf - interact with the IP filter mechanism

sett - interact with the IP throttle mechanism
SYNOPSIS
setf ifn [add|delete sip|name smask dip|name dmask proto src_port dst_port [delay]]
sett ifn [add|delete sip|name smask dip|name dmask proto src_port dst_port [throttle]]

 
...

DESCRIPTION
When invoked with only the ifn argument, the commands print the current contents of the IP Filter Table for the specified interface.

Argument add, followed by seven or eight arguments, will add the specified filter to the table.
Argument delete, followed by seven or eight arguments, will delete the specified filter from the table.

sip is the IP source address filter. A DNS name can be specified.
smask is the mask to be applied to the packet IP source address before the comparison with sip.
dip is the IP destination address filter. A DNS name can be specified.
dmask is the mask to be applied to the packet IP destination address before the comparison with dip.
proto is the IP protocol type. Typical values are 1 for ICMP, 6 for TCP and 17 for UDP.
src_port is the source port contained in UDP and TCP packet types.
dst_port is the destination port contained in UDP and TCP packet type.

delay is the time in msec for which matching packets will be delayed before forwarding. If the specified delay is 0, matching packets will be allowed. If the delay is -1, matching packets will be silently discarded.

throttle is the maximum rate at which matching packets should be forwarded. Its value is expressed as a percentage of the current interface bandwidth.

The value 0.0.0.0 matches any IP address or mask, the value 0 matches any protocol or port number.
All traffic from a given subnet may be filtered by specifying the mask of the subnet. If non-zero IP addresses or names are specified, the relevant masks should also be non-zero.

NOTES
The Filter mechanism allows selected packets arriving at a specified interface to be discarded or delayed for a specified period before being forwarded by NAT32. Packets can also be throttled so that they consume no more than a specified proportion of available bandwidth during any one-second interval.

If a delay in msec is specified, the matching packet will be allowed if the value is 0 and no further checks take place. This option can be used to specify an exception to all later rules. If the delay is -1, the packet will be discarded.

For the sett command, the specified throttle value must be between 0 and 100.

The filter table is evaluated from top to bottom, terminating when a match is found.

A filter is evaluated from left to right, and evaluation terminates as soon as a condition is not met.

No ICMP error messages are generated if packets are discarded.

Packets are only filtered on arrival at a NAT32 interface. Therefore, source and destination fields are relative to that interface.

To filter packets from a private machine to an Internet name or address, an appropriate filter should be specified for the NAT32 private interface at which the packet arrived. Similarly, to block packets arriving at an Internet interface, an appropriate filter should be specified for the NAT32 Internet interface at which the packet arrived.

The specified masks are applied to the specified IP addresses before those addresses are stored in the filter table.

Local traffic is never filtered or throttled.

The IP Filter Table has a maximum size of 16 entries per interface. The table is compressed whenever an entry is deleted and only searched from index 0 to the last valid entry in order to reduce search times.

The filter settings are not recorded in any configuration file or in the Windows Registry. To make the settings permanent, the commands that add the filters should be placed in file user.txt.

SEE ALSO
admin, mode, Traffic Management