Response – Efficient Networks 107-0001-000 User Manual

Page 476

Advertising
background image

Chapter 18: Stateful Firewall Commands

Efficient Networks

®

Router family

Command Line Interface Guide

Page 18-10

Efficient Networks

®

The following <parameters> specify additional characteristics that an IP packet must
have in order to match the firewall rule.

Specify one of these options to determine when watch messages are sent for this firewall rule.
The messages are sent to the console serial port and, if configured, a Syslog server

.

Specify one of these options to specify the direction of the packet of the packet to which the
firewall rule is applied

. If no direction parameter is specified, the direction is defaulted to

both.

Response

Command prompt.

-sp <ICMP type> | <first source port>[:<last source port>]

If the protocol is ICMP, the packet must match the specified ICMP type. If the pack-
et is TCP or UDP, if only one source port is specified, the packet must have the
specified port, or if a range is defined, a port that is within the specified source port
range. If no source port is specified, the firewall rule matches any source port in the
range 0 - 65535.

-dp <ICMP code> | <first dest port>[:<last dest port>]

If the protocol is ICMP, the packet must match the specified ICMP code. If the pack-
et is TCP or UDP, if only one port is specified, the packet must have the specified
destination port, or if a range is defined, a port that is within the specified destina-
tion port range. If no destination port is specified, the firewall rule matches any des-
tination port in the range 0 - 65535.

-da <first dest ip addr>[:<last dest ip addr>]

The packet must have a destination IP address within the specified address range.
If only one address is specified, the packet must have that destination IP address.
If no destination IP address is specified, the firewall rule matches any valid IPV4
address.

-sa <first source ip addr>[:<last source ip addr>]

The packet must have a source IP address within the specified address range. If
only one address is specified, the packet must have that source IP address. If no
source IP address is specified, the firewall rule matches any valid IPV4 address.

-sm <source ip mask>

The firewall rule uses the specified mask when comparing the <first source ip ad-
dr>...<last source ip addr> with the source IP address in the IP packet. If no source
mask is specified, the mask used is 255.255.255.255.

-dm <dest ip mask>

The firewall rule uses the specified mask when comparing the <first dest ip ad-
dr>...<last dest ip addr> with the destination IP address in the IP packet. If no des-
tination mask is specified, the mask used is 255.255.255.255.

- q | -v

If

-q

(quiet) is specified, no messages are displayed for this firewall rule, even if the rule

causes a packet to be dropped.
If

-v

(verbose) is specified, a message is displayed every time this firewall matches a pack-

et, regardless of the rule action. This is the default setting for firewall deny rules.

in | out

Advertising
See also other documents in the category Efficient Networks Hardware: