Security Configuration Command Set
Configuring Access Lists
destination
destination-
wildcard
icmp-type
icmp-code
operator port
tos-extensions
established
14-166 Matrix NSA Series Configuration Guide
Specifies the network or host to which the packet will be
sent. Valid options for expressing destination are:
•
IP address (A.B.C.D)
•
any - Any destination host
•
host source - IP address of a single destination host
(Optional) Specifies the bits to ignore in the destination
address.
(Optional) Filters ICMP frames by ICMP message type. The
type is a number from 0 to 255.
(Optional) Further filters ICMP frames filtered by ICMP
message type by their ICMP message code. The code is a
number from 0 to 255.
(Optional) Applies access rules to TCP or UDP source or
destination port numbers. Possible operands include:
•
lt port - Match only packets with a lower port number.
•
gt port - Match only packets with a greater port number.
•
eq port - Match only packets on a given port number.
•
neq port - Match only packets not on a given port
number.
•
range min-sport max-sport - Match only packets in the
range of source ports
•
range min-dport max-dport - Match only packets in the
range of destination ports.
(Optional) Applies access rules to the precedence and/or tos
fields, or to the DiffServ field. That is, you can specify one
or both precedence and tos fields, or you can specify the
DiffServ field. Use the following keyword/value pairs to
specify the tos-extensions:
•
precedence value (0-7) - Match packets based on the IP
precedence value.
•
tos value (0-15) - Match packets based on the IP Type of
Service value.
•
dscp value (0-63) - Match packets based on the Diffserv
codepoint value.
(Optional) Applies TCP restrictions to established
connections only.