SETF

Reference Manual

NAME

setf - interact with the IP filter mechanism

sett - interact with the IP throttle mechanism

SYNOPSIS

setf ifn [add|delete|insert sip|name smask dip|name dmask [proto] [src_port] [dst_port] [delay|local]]
sett ifn [add|delete|insert sip|name smask dip|name dmask proto src_port dst_port [throttle]]
setf ifn delete all | i
setf ifn swap i j
setfx ip|name [allow|block|local]
setnhf ifn.gwn [ip | name [MB]]

...

DESCRIPTION

When invoked with only the ifn argument, the commands print the current contents of the IP Filter Table for the specified interface.
Argument add, followed by up to seven or eight arguments, will add the specified filter at the end of the table.
Argument delete, followed by seven or eight arguments, will delete the specified filter from the table. If all is specified, then all entries are deleted. If an index i is specified, then only that entry will be deleted.
Argument insert, followed by up to seven or eight arguments, will insert the specified filter at the top of the table.
Argument swap, followed by two index values, will swap the specified table entries.
sip is the IP source address filter. A DNS name can be specified.
smask is the mask to be applied to the packet IP source address before the comparison with sip.
dip is the IP destination address filter. A DNS name can be specified.
dmask is the mask to be applied to the packet IP destination address before the comparison with dip.
proto is the IP protocol name or number. Typical values are 1 for ICMP, 6 for TCP and 17 for UDP.
src_port is the source port number for UDP and TCP packets.
dst_port is the destination port number for UDP and TCP packets.
delay is the time in msec for which matching packets will be delayed before forwarding. If the specified delay is 0 or allow, matching packets will be allowed. If the delay is -1 or block, matching packets will be silently discarded. If the delay is -2 or local, matching packets destined for the Internet will be silently discarded.
throttle is the maximum rate at which matching packets should be forwarded. Its value is expressed as a percentage of the current interface bandwidth.
The value 0.0.0.0 matches any IP address or mask, the value 0 matches any protocol or port number.
All traffic from a given subnet may be filtered by specifying the mask of the subnet. If non-zero IP addresses or names are specified, the relevant masks should also be non-zero.
Command setfx allows a filter to be set for a host with the given IP or Name. Possible filter types are: ALLOW all traffic, allow LOCAL traffic only, or BLOCK all traffic.
Command setnhf allows a Next Hop Filter to be specified for a specific gateway. All traffic forwarded to/from the specified gateway will be dropped once the specified maximum (in MB) has been exceeded.

NOTES

The Filter mechanism allows selected packets arriving at a specified interface to be discarded or delayed for a specified period before being forwarded by NAT32. Packets can also be throttled so that they consume no more than a specified proportion of available bandwidth during any one-second interval.
For the sett command, the specified throttle value must be between 0 and 100.
The filter table is evaluated from top to bottom, terminating when a match is found.
A filter is evaluated from left to right, and evaluation terminates as soon as a condition is not met.
No ICMP error messages are generated if packets are discarded.
Packets are only filtered on arrival at a NAT32 interface. Therefore, source and destination fields are relative to that interface.
To filter packets from a private machine to an Internet name or address, an appropriate filter should be specified for the NAT32 private interface at which the packet arrived. Similarly, to block packets arriving at an Internet interface, an appropriate filter should be specified for the NAT32 Internet interface at which the packet arrived.
The specified masks are applied to the specified IP addresses before those addresses are stored in the filter table.
Traffic between local machines is never filtered or throttled.
The IP Filter Table has a maximum size of 16 entries per interface. The table is compressed whenever an entry is deleted and only searched from index 0 to the last valid entry in order to reduce search times.
The filter settings are not recorded in any configuration file or in the Windows Registry. To make the settings permanent, the commands that add the filters should be placed in file user.txt.

SEE ALSO

admin, rmode, Traffic Management