beautypg.com

Examples – Efficient Networks 107-0001-000 User Manual

Page 470

background image

Chapter 18: Stateful Firewall Commands

Efficient Networks

®

Router family

Command Line Interface Guide

Page 18-4

Efficient Networks

®

Specify one of these options to determine when watch messages are displayed for this firewall
rule. The messages are sent to the console serial port and a Syslog server, if configured

.

Specify one of these options to specify the direction of the packet to which the firewall rule is
applied

. If no direction parameter is specified, the direction is defaulted to both.

Examples

The following examples assume that the LAN nodes behind the router are on the
subnet 192.168.1.0 with a subnet mask of 255.255.255.0. The router has a WAN
address of 12.10.1.1.

The following example will allow the machines behind the router to FTP to any
machine on the internet.

The following example will allow the machines behind the router to FTP to any one
particular machine (64.12.11.1) on the internet.

The packet must have a destination IP address within the specified address range.
If only one address is specified, the packet must have that destination IP address.
If no destination IP address is specified, the firewall rule matches any valid IPV4
address.

-sa [:]

The packet must have a source IP address within the specified address range. If
only one address is specified, the packet must have that source IP address. If no
source IP address is specified, the firewall rule matches any valid IPV4 address.

-sm

The firewall rule uses the specified mask when comparing the dr>... with the source IP address in the IP packet. If no source
mask is specified, the mask used is 255.255.255.255.

-dm

The firewall rule uses the specified mask when comparing the dr>... with the destination IP address in the IP packet. If no des-
tination mask is specified, the mask used is 255.255.255.255.

- q | -v

If

-q

(quiet) is specified, no messages are displayed for this firewall rule, even if the rule

causes a packet to be dropped. This is the default setting for firewall allow rules.
If

-v

(verbose) is specified, a message is displayed every time this firewall rule matches a

packet, regardless of the rule action.

in | out

-> firewall allow -a FTP -sa 192.168.1.0 -sm 255.255.255.0 -d out

-> firewall allow -a FTP -sa 192.168.1.0 -sm 255.255.255.0 -da

64.12.11.1 -d out

See also other documents in the category Efficient Networks Hardware: