Configuring Icmp Drop Rules; Configuring Tcp Connection Rules - OmniSwitch os6900 Network Configuration Manual

Configuring QoS

Configuring ICMP Drop Rules

Combining a Layer 2 condition for source VLAN with a Layer 3 condition for IP protocol is supported. In
addition, two new condition parameters are available to provide more granular filtering of ICMP packets:
icmptype and icmpcode. Use these two conditions together in a policy to block ICMP echo request and
reply packets without impacting switch performance.
The following example defines an ACL policy that prevents users from pinging by dropping echo request
ICMP packets at the source port:
-> policy condition pingEchoRequest source vlan 10 icmptype 8
-> policy action drop disposition drop
-> policy rule noping10 condition pingEchoRequest action drop
-> qos apply
Note that the above policy only blocks ICMP echo traffic, all other ICMP traffic is still allowed.

Configuring TCP Connection Rules

Two condition parameters are available for defining a TCP connection ACL policy: established and
tcpflags. An ACL can be defined using the established parameter to identify packets that are part of an
established TCP connection and allow forwarding of the packets to continue. When this parameter is
invoked, TCP header information is examined to determine if the ack or rst flag bit is set. If this condi-
tion is true, then the connection is considered established.
The following is an example ACL policy using the established condition parameter:
policy condition c destination ip 192.168.10.0 mask 255.255.255.0 established
policy condition c1 destination ip 192.168.10.0 mask 255.255.255.0
policy action drop disposition drop
policy action allow
policy rule r condition c action allow
policy rule r1 condition c1 action drop
qos apply
This example ACL policy prevents any TCP connection from being initiated to the 192.168.10.0 network
and all other IP traffic to the 192.168.10.0 network. Only TCP connections initiated from the 192.168.10.0
network are allowed.
Note that the above example ACL would prevent FTP sessions. See the
command page in the OmniSwitch CLI Reference Guide for more information.
An ACL can also be defined using the tcpflags parameter to examine and qualify specific TCP flags indi-
vidually or in combination with other flags. This parameter can be used to prevent specific DOS attacks,
such as the christmas tree.
The following example use the tcpflags condition parameter to determine if the F (fin) and S (syn) TCP
flag bits are set to one and the A (ack) bit is set to zero:
-> policy condition c1 tcpflags all f s mask f s a
In this example, a match must occur on all the flags or the packet is not allowed. If the optional command
keyword any was used, then a match need only occur on any one of the flags. For example, the following
condition specifies that either the A (ack) bit or the R (rst) bit must equal one:
-> policy condition c1 tcpflags any a r mask a r
OmniSwitch AOS Release 7 Network Configuration Guide
policy condition established
June 2013
Using Access Control Lists
page 25-69