HP ProCurve 7102dl Reference Manual page 429
Secure router sros command line interface
Hide thumbs
Also See for ProCurve 7102dl:
- Configuration manual (1114 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
SROS Command Line Interface Reference Guide
allow list (continued)
allow reverse list
discard list
nat source list
5991-2114
self
When the self keyword is applied, packets permitted by the ACL destined for any
local interface on the unit will be allowed. These packets are terminated by the
unit and are not routed or forwarded to other destinations. Using the self keyword
is helpful when opening up remote administrative access to the unit (Telnet, SSH,
ICMP, Web GUI).
stateless
When the stateless keyword is applied, traffic is not subject to the built-in firewall
timers. Stateless traffic bypasses the application-level gateways (ALGs). Stateless
processing is helpful when passing traffic over VPN tunnels. Traffic sent over VPN
tunnels is purposely selected and encrypted; there is no need to firewall the traffic
as well. VPN configurations created using the VPN Wizard in the Web GUI use
stateless processing by default.
The allow reverse list command is identical in function to the allow list
command with the exception of the reverse keyword. The reverse keyword
instructs the firewall to use the source information as the destination information
and vise-versa in the specified ACL.
All packets permitted by the ACL will be explicitly discarded upon entering the
interface that the policy class is assigned to. All packets denied by the ACL will be
processed by the next policy class entry or implicitly discarded if no further policy
class entries exist. Possible discard list actions performed by the access policy
are as follows:
discard list <access control list name>
discard list <access control list name> policy <access policy name>
discard list <access control list name> self
policy <access policy name>
When the policy <access policy name> is specified, the firewall attempts to
match the specified access policy with the access policy that is applied to the
packet's egress interface as determined by the routing table or policy-based
routing configuration. If there is a match, the firewall will process the packet. If
there is no match, the firewall will process the packet based on the next policy
class entry or implicitly discard it if no further policy class entries exist.
self
When the self keyword is applied, packets permitted by the access-control list
destined for any local interface on the unit will be implicitly discarded.
All packets permitted by the ACL entering the interface to which the policy class is
assigned will translate the source IP address of the packet to the specified
address or interface and an association will be created in the firewall. This
function is commonly referred to as a "many-to-one NAT". All associations created
by the nat source list are subject to the built-in firewall timers (refer to
policy-timeout <protocol> <range> <port> <seconds>
packets denied by the extended access control list will be processed by the next
© Copyright 2007 Hewlett-Packard Development Company, L.P.
Global Configuration Mode Command Set
on page 433). All
ip
427
Advertisement
Chapters
Table of Contents
