Ip Filter Policy Rules; Supported Services - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.1.1 administrator guide (5697-0235, december 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
1.
Log in to the switch using an account assigned to the admin role.
2.
Issue the following command:
ipfilter –delete <policyname>
where
<policyname>
3.
To permanently delete the policy, issue the following command:
ipfilter --save
IP Filter policy rules
An IP Filter policy consists of a set of rules. Each rule has an index number identifying the rule. There is a
maximum of 256 rules within an IP Filter policy.
Each rule contains the following elements:
•
Source Address: A source IP address or a group prefix.
•
Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS.
•
Protocol: The protocol type. Supported types are TCP or UDP.
•
Action: The filtering action taken by this rule, Permit or Deny.
For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation. The
group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24 represents a
24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0 matches any IPv4
address. In addition, the keyword any is supported to represent any IPv4 address.
For an IPv6 filter policy, the source address has to be a 128-bit IPv6 address, in a format acceptable in RFC
3513. The group prefix has to be a CIDR block prefix representation. For example, 12AB:0:0:CD30::/64
represents a 64-bit IPv6 prefix starting from the most significant bit. In addition, the keyword any is
supported to represent any IPv6 address.
For the destination port, a single port number or a port number range can be specified. According to
IANA (http://www.iana.org), ports 0 to 1023 are well-known port numbers, ports 1024 to 49151 are
registered port numbers, and ports 49152 to 65535 are dynamic or private port numbers. Well-known and
registered ports are normally used by servers to accept connections, while dynamic port numbers are used
by clients.
For an IP Filter policy rule, users can only select port numbers in either the well known or the registered port
number range, between 0 and 49151, inclusive. This means that customers have the ability to control how
to expose the management services hosted on a switch, but not the ability to affect the management traffic
that is initiated from a switch. A valid port number range is represented by a dash, for example 7-30.
Alternatively, service names can also be used instead of port number.
names and their corresponding port number.
Table 30
Supported services
Service name
https
rpc
secure rpc
snmp
ssh
sunprc
telnet
www
TCP and UDP protocols are valid selections. Fabric OS 5.3.0 and later does not support configuration to
filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo
request and reply on commands like ping and traceroute. For the action, only "permit" and "deny" are
valid.
126 Configuring advanced security features
is the name of the policy.
Port number
443
897
898
161
22
1 1 1
23
80
Table 30
lists the supported service
Advertisement
Table of Contents
