Table of Contents
Advertisement
Chapter 18: Stateful Firewall Commands
The packet must have a destination IP address within the specified address range.
If only one address is specified, the packet must have that destination IP address.
If no destination IP address is specified, the firewall rule matches any valid IPV4
address.
-sa <first source ip addr>[:<last source ip addr>]
The packet must have a source IP address within the specified address range. If
only one address is specified, the packet must have that source IP address. If no
source IP address is specified, the firewall rule matches any valid IPV4 address.
-sm <source ip mask>
The firewall rule uses the specified mask when comparing the <first source ip ad-
dr>...<last source ip addr> with the source IP address in the IP packet. If no source
mask is specified, the mask used is 255.255.255.255.
-dm <dest ip mask>
The firewall rule uses the specified mask when comparing the <first dest ip ad-
dr>...<last dest ip addr> with the destination IP address in the IP packet. If no des-
tination mask is specified, the mask used is 255.255.255.255.
Specify one of these options to determine when watch messages are displayed for this firewall
rule. The messages are sent to the console serial port and a Syslog server, if configured
- q | -v
If -q (quiet) is specified, no messages are displayed for this firewall rule, even if the rule
causes a packet to be dropped. This is the default setting for firewall allow rules.
If -v (verbose) is specified, a message is displayed every time this firewall rule matches a
packet, regardless of the rule action.
Specify one of these options to specify the direction of the packet to which the firewall rule is
. If no direction parameter is specified, the direction is defaulted to both.
applied
in | out
Examples
The following examples assume that the LAN nodes behind the router are on the
subnet 192.168.1.0 with a subnet mask of 255.255.255.0. The router has a WAN
address of 12.10.1.1.
The following example will allow the machines behind the router to FTP to any
machine on the internet.
-> firewall allow -a FTP -sa 192.168.1.0 -sm 255.255.255.0 -d out
The following example will allow the machines behind the router to FTP to any one
particular machine (64.12.11.1) on the internet.
-> firewall allow -a FTP -sa 192.168.1.0 -sm 255.255.255.0 -da
64.12.11.1 -d out
Page 18-4
®
Efficient Networks
Router family
Command Line Interface Guide
Efficient Networks
.
®
Advertisement
Table of Contents
