Extreme Networks ExtremeWare 7.2e Installation And User Manual page 149

Figure 23: Host A initiates a TCP session to host B
Host A
An access list that uses the permit-established keyword filters the SYN packet in one direction.
Use the permit-established keyword to allow only host A to be able to establish a TCP session to host B
and to prevent any TCP sessions from being initiated by host B, as illustrated in Figure 23. The
commands for this access control list is as follows:
create access-mask tcp_connection_mask ipprotocol dest-ip/32 dest-L4port
permit-established ports precedence 1000
create access-list telnet-deny tcp_connection_mask ipprotocol tcp dest-ip
10.10.10.100/32 dest-L4port 23 ports 10 permit-established
NOTE
This step may not be intuitive. Pay attention to the destination and source address, the ingress port that
the rule is applied to, and the desired affect.
NOTE
This rule has a higher precedence than the rule "tcp2_1" and "tcp1_2".
Figure 24 shows the final outcome of this access list.
Figure 24: Permit-established access list filters out SYN packet to destination
10.10.10.100
Example 2: Filter ICMP Packets
This example creates an access list that filters out ping (ICMP echo) packets. ICMP echo packets are
defined as type 8 code 0.
The commands to create this access control list is as follows:
create access-mask icmp_mask ipprotocol icmp-type icmp-code
create access-list denyping icmp_mask ipprotocol icmp icmp-type 8 icmp-code 0 deny
The output for this access list is shown in Figure 25.
ExtremeWare 7.2e Installation and User Guide
SYN
SYN / ACK
ACK
SYN
SYN
Host B
EW_036
10.10.20.100
EW_037
IP Access Lists (ACLs)
149