Efficient Networks 107-0001-000 User Manual

Page 221

Advertising
background image

Efficient Networks

®

Router family

Command Line Interface Guide

Chapter 6: Remote Commands

Efficient Networks

®

Page 6-33

NOTE:

More than one -tcp option may be specified for the IP filter.

The syn, ack, and noflag settings work together as follows:

Specify

-tcp syn

if the TCP SYN flag must be set.

Specify

-tcp ack

if the TCP ACK flag must be set

Specify

-tcp noflag

if neither the SYN flag nor the ACK flag can be set.

For example, for the IP filter to match the initiation of a TCP connection, specify

-tcp

syn

. The filter will match TCP packets that have the TCP SYN flag set but not the

TCP ACK flag set. For the filter to match the response to initiation of a TCP
connection, specify

-tcp syn

and

-tcp ack

. The filter will match only TCP packets

with both the TCP SYN and TCP ACK flags set.

The

-tcp rst

setting is independent of the others; if you specify

-tcp rst

for the

filter, the filter matches every TCP packet with the TCP RESET flag set, regardless of
the other flag settings. For example, for the filter to match packets for “established”
connections, you would specify both

-tcp rst

and

-tcp ack

so that the filter is

applied to every TCP packet that has either the RESET flag or the ACK flag set.

The following

<parameter>

s request additional filter options.

-tcp syn | ack | noflag | rst

If the IP packet is a TCP packet, the filter matches the packet only if the packet flag
settings are as specified. If no -tcp option is specified for the filter, flag settings are
not checked.

-b

This option requests that this filter be compared twice with each packet. The first
time the source filter information is matched against the source information in the
IP packet and the destination filter information is matched against the destination
information in the IP packet. The second time the source filter information is
matched against the destination information in the IP packet and the destination fil-
ter information is matched against the source information in the IP packet.

-c <count of times rule used>

This option requests a counter for this filter. If specified, a count is kept of how
many IP packets have matched this filter since the router was rebooted. To see the
current count for a filter, use the

remote ipfilter list

command. To clear a counter, use

the

remote ipfilter clear

command.

-ipsec <IPSec record name>

Use this option when the

<action>

specified is inipsec or outipsec. It specifies the

IPSec Security Association that uses the filter.

q or -v

Advertising
Popular Brands
Popular manuals