TABLE 6 Excluding an address (continued)
Step
Show the configuration.
Matching TCP flags
The vRouter supports filtering on the TCP flags within TCP packets. For example, to create a rule to accept packets with the SYN flag
set and the ACK, FIN, and RST flags unset, perform the following steps in configuration mode.
TABLE 7 Accepting packets with specific TCP flags set
Step
Set the protocol to match to TCP.
Set the TCP flags to match.
Set the action to accept.
Commit the configuration.
Show the configuration.
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01
Command
vyatta@R1# show security firewall
name NEGATED-EXAMPLE {
rule 10 {
action accept
description "Allow all traffic from LAN
except to server 192.168.1.100"
destination {
address !192.168.1.100
}
source {
address 172.16.1.0/24
}
}
}
vyatta@R1# show interfaces dataplane dp0p1p1
address 172.16.1.1/24
firewall {
in NEGATED-EXAMPLE
}
Command
vyatta@R1# set security firewall name TCP-FLAGS
rule 30 protocol tcp
vyatta@R1# set security firewall name TCP-FLAGS
rule 30 tcp flags SYN,!ACK,!FIN,!RST
vyatta@R1# set security firewall name TCP-FLAGS
rule 30 action accept
vyatta@R1# commit
vyatta@R1# show security firewall name TCP-FLAGS
rule 30 {
action accept
protocol tcp
tcp {
flags SYN,!ACK,!FIN,!RST
}
}
vyatta@R1#
Configuration Examples
27