HP 7102dl - ProCurve Secure Router Configuration Manual page 266

Applying Access Control to Router Interfaces
Using ACPs to Control Access to Router Interfaces
5-34
To exclude ICMP traffic from a range of IP addresses to a specific destination,
enter:
ProCurve(config-ext-nacl)# deny icmp <A.B.C.D> <wildcard bits> host <A.B.C.D>
Specifying a Source or Destination Port for TCP and UDP. If you are
configuring ACL entries to select TCP or UDP traffic, you can also specify
source and destination ports—although this is optional. For example, you
could specify the well-known port 80 for HTTP traffic if you wanted to select
HTTP traffic for an action.
There is a drawback to including a port number, however. The Secure Router
OS firewall will match the type of traffic only on that port. If a device transmits
the traffic you are targeting on another port, the firewall will not match that
traffic to your ACL.
To view the options available for specifying ports, enter:
ProCurve(config-ext-nacl)# [permit | deny] [tcp | udp] any ?
In practice, you would use the any keyword only if you want to match all
traffic from a particular port. When you actually enter the permit or deny
command, you can specify any host, a specific host, a specific IP address, or
a range of IP addresses. Then enter the ? help command to view the options
for specifying ports.
Table 5-9 shows the options for specifying ports in an extended ACL.
Table 5-9. Specifying Ports in Extended ACLs
Option
eq <port number>
gt <port number>
lt <port number>
range <first port number last port number> matches a range of ports
neq <port number>
Meaning
matches a specific port
matches all ports that are a larger number than
the port number you specify (not including the
specified port)
matches all ports that are a smaller number
than the port number you specify (not including
the specified port)
matches all ports except the port number
you specify