Reference Manual

NAME

setf - interact with the IP filter mechanism

setf ifn [add|delete sip|name smask dip|name dmask proto src_port dst_port [delay]]

When invoked with only the ifn argument, setf prints the current contents of the IP Filter Table for the specified interface.
Argument add, followed by seven or eight arguments, will add the specified filter to the table.
Argument delete, followed by seven or eight arguments, will delete the specified filter from the table.

sip is the IP source address filter. A DNS name can be specified.
smask is the mask to be applied to the packet IP source address before the comparison with sip.
dip is the IP destination address filter. A DNS name can be specified.
dmask is the mask to be applied to the packet IP destination address before the comparison with dip.
proto is the IP protocol type. Typical values are 1 for ICMP, 6 for TCP and 17 for UDP.
src_port is the source port contained in UDP and TCP packet types.
dst_port is the destination port contained in UDP and TCP packet type.
delay is the time in msec for which matching packets will be delayed before transmission. If no delay is specified, matching packets will be silently discarded.

The value 0.0.0.0 matches any IP address or mask, the value 0 matches any protocol or port number.
All traffic from a given subnet may be filtered by specifying the mask of the subnet. If non-zero IP addresses or names are specified, the relevant masks should also be non-zero.

The Filter mechanism allows selected packets arriving at a specified interface to be discarded or delayed for a specified period before being forwarded by NAT32.

Each filter is evaluated from left to right, and evaluation terminates as soon as a condition is not met. No ICMP error messages are generated when a packet is discarded.

Packets are only filtered on arrival at a NAT32 interface. Therefore, source and destination fields are relative to that interface.

To filter packets from a private machine to an Internet name or address, an appropriate filter should be specified for the NAT32 private interface at which the packet arrived. Similarly, to block packets arriving at an Internet interface, an appropriate filter should be specified for the NAT32 Internet interface at which the packet arrived.

The specified masks are applied to the specified IP addresses before those addresses are stored in the filter table.

The IP Filter Table has a maximum size of 16 entries per interface. The table is compressed whenever an entry is deleted and only searched from index 0 to the last valid entry in order to reduce search times.

Packets to and from the Microsoft TCP/IP stacks on the NAT32 machine are not filtered.

The filter settings are not recorded in any configuration file or in the Windows Registry. To make the settings permanent, the commands that add the filters should be placed in file user.txt.

admin mode Traffic Management