Configuring a rule for icmp-type options, Table 15 – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

130

ServerIron ADX Security Guide

53-1002440-03

DDoS protection

5

Configuring a rule for icmp-type options

ServerIron ADX has a set of built-in rules to manage icmp-type options. In this case, the
rule-icmp-type command is used with a <icmp-option-attack> variable specified in Table 15.

The following example configures the "filter3" security filter with a rule to drop packets that contain
the icmp-type echo-reply type.

ServerIronADX(config)# security filter filter3

ServerIronADX(config-sec-filter3)# rule icmp-type echo-reply drop

Syntax:

[no] rule icmp-type <icmp-type> [log | no-log] [drop | no-drop]

The <icmp-type> variable can be one of the options described in Table 15

The log parameter directs the ServerIron ADX to drop traffic on the bound interface that matches
the rule specified by the configured <icmp-type>. The no-log parameter disables this function.

The drop parameter directs the ServerIron ADX to drop traffic on the bound interface that matches
the rule specified by the configured <icmp-type>. The no-drop parameter disables this function

TABLE 15

icmp option types and descriptions

ICMP Option Type

Description

icmp-type addr-mask

icmp type 17: addr-mask
timestamp-reply icmp type 14: timestamp-reply

icmp-type addr-mask-reply

addr-mask-reply: icmp type 18: addr-mask-reply

icmp-type destination <type>

icmp type 3: destination-unreachable.
The <type> variable is specified as one of the following values.

i

admin-prohibit

fragment-needed

host-admin-prohibited

host-precedence-violation

host-unknown

host-unreachable

host-unreachable-for-tos

net-admin-prohibited

net-unknown

net-unreachable

network-unreachable-for-tos

port-unreachable

precedence-cutoff

protocol-unreachable

route-fail

source-host-isolated

code 13: admin-prohibit
code 4: fragment-needed
code 10: destination-host-admin-prohibited
code 14: host-precedence-violation
code 7: destination-host-unknown
code 1: host-unreachable
code 12: host-unreachable-for-tos
code 9: destination-network-admin-prohibited
code 6: net-unknown
code 0: network-unreachable
code 11: network-unreachable-for-tos
code 3: port-unreachable
code 15: precedence-cutoff-in-effect
code 2: protocol-unreachable
code 5: route-fail
code 8: source-host-isolate

icmp-type echo-reply

icmp type 0: echo-reply

icmp-type echo-request

icmp type 8: echo-request

icmp-type info-reply

icmp type 16: information-reply

icmp-type info-request

icmp type 15: information-request

icmp-type param-problem

icmp type 12: parameter-problem

icmp-type redirect

icmp type 5: redirect