H3C Technologies H3C Intelligent Management Center User Manual

860

a.

Click the checkbox to the left of the sequence number for each of the rules you want to

delete.

b.

Click Delete. When prompted, click OK to confirm the deletion of the selected rules.

c.

Skip to the next step

To add new rules:

d.

Click Add on the Configure Rule page and the Add Rule page appears.

e.

Select the action you want to take by clicking the radio button to the left of the option you
want to apply to this rule:

{

Select permit if, upon matching the specified conditions, the packet should be forwarded.

{

Select deny if, upon matching the specified conditions, the packet should be discarded.

f.

Select the time range you want to apply to this rule from the Time Range list.

Select the source IP address option you want to use by clicking the radio button to the left of the
desired option:

This option specifies where the pattern matching occurs in this rule. In this case, the pattern
matching is applied to the source IP address.

•

All: Allows you to permit or deny traffic for all IP addresses.

•

IP Address/Mask: Allows you to enter a specific IP address and its subnet mask for which you want
to either permit or deny traffic for.

g.

Enter an IP address/subnet mask combination in the IP Address/Mask field.
The subnet mask must be entered in dotted decimal notation. A valid IP address/subnet mask
using dotted decimal notation would be

192.168.1.0/255.255.255.0

A forward slash "/" must be used to separate the IP address from the subnet mask.

20.

Do one of the following:

{

Click the radio button to the left of Yes in the Fragment option if you want to apply the rule
to each fragment.

{

Click the radio button to the left of No in the Fragment option if you want to apply the rule
to first fragments.
Traditional packet filtering matched only first fragments of IPv4 packets and allowed all
subsequent non-first fragments to pass through. This resulted in security risks as hackers can

fabricate non-first fragments to attack networks.

{

Click the radio button to the left of Yes in the Logging option if you want to enable logging
for this rule.
This feature enables the logging of packet filtering only when a module (for example, a firewall)
using the ACL supports logging.

•

Enter the VPN instance you want to apply to this rule by entering the VPN-instance-name in the VPN
Instance field. A valid entry must be 0-31 characters that cannot contain question marks or blank
spaces. Note also that this field is case sensitive. If no VPN instance is specified in this field, the rule

applies only to non-VPN packets.

•

Click OK to create the rule you have just configured.

21.

Do one of the following:

{

To add more rules to the ACL, repeat this step.