Enabling the ipv6 firewall function, Configuring ipv6 packet filtering on an interface – H3C Technologies H3C SecPath F1000-E User Manual

Page 62

Advertising
background image

54

Enabling the IPv6 firewall function

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the IPv6 firewall

function.

firewall ipv6 enable

Disabled by default

Configuring the default filtering action of the IPv6 firewall

The default filtering action configuration is used for the firewall to determine whether to permit a data

packet to pass or deny the packet when there is no appropriate criterion for judgment.
To configure the default filtering action of the IPv6 firewall:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Specify the default filtering
action of the firewall.

firewall ipv6 default { deny |
permit }

Optional
permit (permit packets to pass the
firewall) by default

Configuring IPv6 packet filtering on an interface

When an ACL is applied to an interface, the time range-based filtering will also work at the same time.
In addition, you can specify separate access rules for inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines rules based on the

Layer 3 source IP addresses only to analyze and process data packets.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL defines rules

according to the source and destination IP addresses of packets, the type of protocol over IP, TCP/UDP
source and destination ports, and so on.
An advanced ACL supports the following match modes:

Normal match—Matches Layer 3 information. Non-layer 3 information is ignored.

Exact match—Matches all advanced ACL rules. For this reason, you must enable fragment
inspection for the firewall to record the status of the first fragment of each packet and obtain the

match information of the subsequent fragments.

The default mode is normal match mode.

NOTE:

You can neither enable packet filtering on an interface in an aggregation group or service loopback
group, nor add an interface with packet filtering enabled to an aggregation group or service loopback

group.

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals