HP 3500yl Series Access Security Manual page 499

Additional Options for TCP and UDP Traffic. An ACE designed to per-
mit or deny TCP or UDP traffic can optionally include port number criteria
for either the source or destination, or both. Use of TCP criteria also allows
the established option for controlling TCP connection traffic. (For a summary
of the extended ACL syntax options, refer to "Command Summary for
Extended ACLs" on page 10-59 or "Options for TCP and UDP Traffic in
Extended ACLs" on page 10-67.)
Syntax: access-list < 100 - 199 > < deny | permit > < tcp | udp >
< SA > [comparison-operator < tcp/udp-src-port >]
< DA > [comparison-operator < tcp-dest-port >] [established]
< DA > [comparison-operator < udp-dest-port >]
This source-port and destination-port TCP/UDP criteria is iden-
tical to the criteria described for TCP/UDP use in named, extended
ACLs, beginning on page 10-67.
Additional Options for ICMP Traffic. This option is useful where it is
necessary to permit some types of ICMP traffic and deny other types, instead
of simply permitting or denying all types of ICMP traffic. That is, an ACE
designed to permit or deny ICMP traffic can optionally include an ICMP type
and code value to permit or deny an individual type of ICMP packet while not
addressing other ICMP traffic types in the same ACE. As an optional alterna-
tive, the ACE can include the name of an ICMP packet type. (For a summary
of the extended ACL syntax options, refer to table on page 10-59.)
Syntax: access-list < 100 - 199 > < deny | permit > icmp < SA > < DA >
[[ icmp-type [ icmp-code ]] | [ icmp-type-name ]]
The ICMP "type" and "code" criteria are identical to the criteria
described for ICMP in named, extended ACLs, beginning on page
10-70.
IPv4 Access Control Lists (ACLs)
Configuring Extended ACLs
10-79