FQDN Filter Function

Summary

You can specify the FQDN for source and destination addresses of the ip filter command.
Using the ip filter command specifying FQDN for "Filter Type Routing" or "Packet Transfer Filter" enables to control routing for servers that do not have static IP addresses or servers with multiple static IP addresses for one FQDN.

Restrictions

The following restrictions apply to using the FQDN filter function.

  • The router itself using this function has to operate as a DNS recursive server.
  • The terminals under the router that use this function have to specify the router as a DNS server.
  • Only the IP address detected by name resolution of the specified FQDN is filtered. It is not filtered that communication which another Web server derived from the HTML file obtained by accessing the Web server, redirection, etc.
  • The IP address is found out from the FQDN by searching the ip host command, the dns static command, and the DNS cache in that order.
  • The routing determined based on this function is recorded in the Fast Path flow table, and packets with the same conditions after that are processed in the Fast Path. Even if the DNS information is rewritten due to the expiration of the TTL of the DNS cache, the information recorded in the flow table is not replaced and the Fast Path continues to be routed to the previous destination. The lifetime of the flow table information can be specified with the ip flow timer command.
  • You need to be careful when there are multiple FQDNs for one IP address. For example, Google search site and YouTube video site may have the same IP address. google for pass and youtube for reject in this order, if you access YouTube after searching on Google, and when YouTube's IP address was the same as Google you accessed first, YouTube will also be passed. (If Google's IP address and YouTube's ip address are different, YouTube will be rejected as configured)
  • This function supports IPv4 communication only.

Compatible Models & Firmware Revisions

The Yamaha RT series supports FQDN filter function with the following models and firmware.

Model Firmware
FWX120 Rev.11.03.23 or later
RTX810 Rev.11.01.29 or later

Command

Set the IP Packet Filter

[Syntax]
ip filter filter_num pass_reject src_addr[/mask] [dest_addr[/mask] [protocol [src_port_list [dest_port_list]]]]
no ip filter filter_num [pass_reject ...]
[Setting and Initial value]
  • filter_num
    • [Setting] : Static filter number (1..21474836)
    • [Initial value] : -
  • pass_reject
    • [Setting] :
      Setting Description
      pass Pass if matched (not record in the log)
      pass-log Pass if matched (record in the log)
      pass-nolog Pass if matched (not record in the log)
      reject Discard if matched (record in the log)
      reject-log Discard if matched (record in the log)
      reject-nolog Discard if matched (not record in the log)
      restrict Pass if the line is connected and discard if it is disconnected (not record in the log)
      restrict-log Pass if the line is connected and discard if it is disconnected (record in the log)
      restrict-nolog Pass if the line is connected and discard if it is disconnected (not record in the log)
    • [Initial value] : -
  • src_addr : Source IP address of the IP packet
    • [Setting] :
      • IP address
        • A.B.C.D (A..D: 0..255 or *)
          • In the above notation, if '*' is used for A thru D, the applicable 8 bits accept all values.
        • Two of the above items with a hyphen in between them, an above item with a hyphen in front, and an above item with a hyphen in the back indicate a range.
        • Multiple settings are allowed with ',' as a delimiter. It can also be mixed with FQDN.
      • FQDN
        • Any character string (up to 255 characters. '/' And ':' can not be used. ',' is used as a delimiter, so it cannot also be used)
        • FQDN starting from '*' judges character string behind '*' as backward matching condition.
          For example, *.example.co.jp matches www.example.co.jp and mail.example.co.jp etc.
        • Multiple settings are allowed with ',' as a delimiter. It can also be mixed with IP addresses.
      • * (All IP addresses are supported)
    • [Initial value] : -
  • dest_addr : Destination IP address of the IP packet
    • [Setting] :
      • Same format as src_addr.
      • Same as one * when omitted.
    • [Initial value] : -
  • mask : IP address bit mask (can be specified only when src_addr and dest_addr are network addresses, and can not be specified for FQDN and *)
    • [Setting] :
      • A.B.C.D (A..D: 0..255)
      • Hexadecimal number following 0x
      • Number of mask bits
      • Same as 0xffffffff when omitted
    • [Initial value] : -
  • protocol : Type of packets to be filtered
    • [Setting] :
      • Decimal number indicating the protocol (0..255)
      • Mnemonic indicating the protocol
        Mnemonic Decimal Number Description
        icmp 1 ICMP packet
        tcp 6 TCP packet
        udp 17 UDP packet
        ipv6 41 IPv6 packet
        gre 47 GRE packet
        esp 50 ESP packet
        ah 51 AH packet
        icmp6 58 ICMP6 packet
      • Series of above items delimited by commas (up to 5 items)
      • Special settings
        icmp-error ICMP packet whose type is 3, 4, 5, 11, 12, 31, or 32
        icmp-info ICMP packet whose type is 0, 8 to 10, 13 to 18, 30, or 33 to 36
        tcpsyn SYN tcp packet with SYN flag set
        tcpfin FIN tcp packet with FIN flag set
        tcprst RST tcp packet with RST flag set
        established tcp packet with ACK flag set Function that permits connections from the inside to the outside but rejects connections from the outside to the inside
        tcpflag=value/mask
        tcpflag!=value/mask
        A TCP packet for which the logical AND of the TCP flag value and mask value is the same as value or different than value
        Specify value and mask as hexadecimal values following 0x (0x0000 to 0xffff).
        * All protocols
      • Same as * when omitted.
    • [Initial value] : -
  • src_port_list : When TCP (tcp/tcpsyn/tcpfin/tcprst/established/tcpflag) or UDP (udp) is contained in protocol, the TCP or UDP source port number. When protocol is just ICMP (icmp), the ICMP type.
    • [Setting] :
      • A decimal number representing the port number
      • Mnemonic representing the port number (a section)
        Mnemonic Port Number
        ftp 20,21
        ftpdata 20
        telnet 23
        smtp 25
        domain 53
        gopher 70
        finger 79
        www 80
        pop3 110
        sunrpc 111
        ident 113
        ntp 123
        nntp 119
        snmp 161
        syslog 514
        printer 515
        talk 517
        route 520
        uucp 540
        submission 587
      • Two of the above items with a hyphen in between them, an above item with a hyphen in front, and an above item with a hyphen in the back indicate a range.
      • Series of above items delimited by commas (up to 10 items)
      • * (all ports or types)
      • Same as * when omitted.
    • [Initial value] : -
  • dest_port_list :
    • [Setting] : When TCP (tcp/tcpsyn/tcpfin/tcprst/established/tcpflag) or UDP (udp) is contained in protocol, the TCP or UDP destination port number. When protocol is just ICMP (icmp), the ICMP code.
    • [Initial value] : -
[Description]

Sets the IP packet filter. The filter specified with this command is used in the ip filter directed-broadcast, ip filter dynamic, ip filter set, ip forward filter, ip fragment remove df-bit, ip interface rip filter, ip interface secure filter, and ip route commands.


[Note]

Filters using restrict-log and restrict-nolog are effective for packets that need to be passed only when the line is connected and do not really require the line to be called for this purpose. One such example is the NTP packet used to synchronize the clock. When you want to check the ICMP types and codes of ICMP packets using a filter, set protocol to just 'icmp'. When protocol is set to just 'icmp', src_port_list is treated as a list of the ICMP types and dest_port_list is treated as a list of the ICMP codes. When 'icmp' and other protocols are listed for protocol, src_port_list and dest_port_list are treated as TCP/UDP port numbers, and ICMP packet comparison does not take place. Also, when 'icmp-error' or 'icmp-info' is specified for protocol, the src_port_list and dest_port_list are ignored. When protocol is set to '*' or to multiple protocol that include TCP/UDP, src_port_list and dest_port_list are treated as TCP/UDP port numbers, and only the port numbers of TCP or UDP packets are compared and filtered. Other types of packets (including ICMP) are filtered and compared as if src_port_list and dst_port_list do not exist.

Specifying FQDN for src_addr and dest_addr enables to filter for servers that do not have static IP addresses or servers with multiple static IP addresses for one FQDN.
When using FQDN, the router operates as a DNS recursive server, and terminals under the router need to specify the router as a DNS server.

When a communication matching the specified FQDN occurs, the IP address information corresponding to the set FQDN is retained. The retention period can be specified with the ip filter fqdn timer command.


[Settings Examples]

Records the IPv4 ICMP ECHO/REPLY sent and received over LAN1 in the pass-log.

# ip lan1 secure filter in 1 2 100
# ip lan1 secure filter out 1 2 100
# ip filter 1 pass-log * * icmp 8
# ip filter 2 pass-log * * icmp 0
# ip filter 100 pass * *

Of the IPv4 redirects sent from LAN2, only "for the host" redirects are blocked.

# ip lan2 secure filter out 1 100
# ip filter 1 reject * * icmp 5 1
# ip filter 100 pass * *

Timer setting of the cache used in the FQDN filter.

[Syntax]
ip filter fqdn timer time [auto=switch]
no ip filter fqdn timer [time]
[Setting and Initial value]
  • time
    • [Setting]:Number of seconds (1..2147483647)
    • [Initial value]:600
  • switch
    • [Setting]:
      Setting Description
      on Enable automatic setting
      off Disable automatic setting
    • [Initial value]:on
[Description]

Sets the timer of the cache used for FQDN filter.
When FQDN is set for the source address and the destination address with the ip filter command, the timer starts when communication matching the specified FQDN occurs.
If there is no communication matching the FQDN filter for the number of seconds specified in 'time', the cache that associates the FQDN with the IP address will be deleted.

When auto = on, the following values are set for the timer.

  • In communication using Fast Path, the largest value among the timers used in the Fast Path flow table is automatically set as the value of this timer.
  • In communication without using Fast Path, the value of 'time' is set as a timer.

When auto = off, the value of 'time' is always set to the timer.


Settings Examples

  • For Filter Type Routing, the default gateway uses PP1 and Microsoft Update uses PP2.

    ip filter 1000 pass * windowsupdate.microsoft.com,*.windowsupdate.microsoft.com,*.windowsupdate.com
    ip filter 1001 pass * download.windowsupdate.com,*.download.windowsupdate.com
    ip filter 1002 pass * download.microsoft.com,*.download.microsoft.com
    ip filter 1003 pass * test.stats.update.microsoft.com,ntservicepack.microsoft.com
    ip route default gateway pp 2 filter 1000 1001 1002 1003 gateway pp 1
    
    # show ip route
    Destination         Gateway          Interface       Kind  Additional Info.
    default             -                    PP[02]    static  filter:1000,1001,1002,1003
    default             -                    PP[01]    static
    192.168.100.0/24    192.168.100.1          LAN1  implicit
    
    The FQDN listed on the filter is based on https://technet.microsoft.com/en-us/library/bb693717.aspx
    
  • For Packet Transfer Filter, the default gateway uses PP1 and, Yahoo and Google use PP2.

    ip route default gateway pp 1
    ip lan1 forward filter 100
    ip filter 2000 pass * *.yahoo.com,*.google.com
    ip forward filter 100 1 gateway pp 2 filter 2000
    

Return to Top