beautypg.com

Ip firewall policy – Enterasys Networks X-Pedition XSR CLI User Manual

Page 667

background image

Firewall Feature Set Commands

XSR CLI Reference Guide 16-123

objects such as ANY_EXTERNAL and user‐defined object names are case‐sensitive. Refer to the 

ip

firewall policy

command for applicable policy and gating rule limits.

Syntax

ip firewall network-group name name1 ... name10

Syntax of the “no” Form

The no form of this command disables the network group:

no ip firewall network-group name

Mode

Global configuration: 

XSR(config)#

Example

The following example defines network objects sales and remote‐access and adds them to the 
network groups private‐net and sales remote‐access:

XSR(config)#ip firewall network sales 192.168.100.0 ma 255.255.255.0 i
XSR(config)#ip fi network remote-access 10.1.1.0 m 255.255.255.0 i
XSR(config)#ip firewall network-group private-net sales remote-access

ip firewall policy

This command configures a firewall policy comprised of policy objects. Each object/rule is tagged 
with a name which places the policies in order using a before and after keyword. This permits you 
to enter policies in an order different than which they will be applied.

The XSR firewall enforces a deny all policy by default. So, unless there is a policy object configured 
to allow traffic in a particular direction, packets will not pass through the firewall. This eliminates 
the need to define catch‐all reject policies in each direction.

Policies apply to traffic directed at the router, as well. So, policy objects must be defined to allow 
management traffic into the router. Be aware that the console port is always available for 
management purposes.

A name for any firewall object must use these alpha‐numeric characters only

A

 ‐ 

Z

 (upper or lower 

case), 

0

 ‐ 

9

-

 (dash), or

_

 (underscore). Also, all firewall object names including pre‐defined 

objects such as ANY_EXTERNAL and user‐defined object names are case‐sensitive.

name

Network group object name. Limit: 16 characters.

name1 to name10

Name of the network or network‐group objects.

Notes: Citing a policy’s intent in the name is useful if its function is not apparent from the definition.

Internal XSR gating rules, which order traffic filtering, are stored in a temporary file in Flash.
Because there is one gating rule for each network source/destination expansion, a potentially
enormous number of gating rules can be generated by just a single firewall policy. For example,
when a large network that has an ANY_INTERNAL group with 200 network addresses is used as
the source address, and another group of 10 network addresses is used as the destination address,
2000 gating rules are defined for the policy. Accordingly, a limit is applied to their total, depending on
the amount of installed RAM.