ADTRAN AOS Version R10.1.0 Command Reference Manual page 1207

Command Reference Guide Global Configuration Mode Command Set
Functional Notes
In AOS firmware release R10.1.0, the ability to configure IPv6 firewall filtering behavior was introduced.
The ordinary filtering behavior of the IPv6 firewall is to restrict permitted return traffic to the exact source
and destination IP addresses and ports of the initial traffic flow. This is called address- and port-dependent
filtering. In some applications, including TFTP, the external traffic generated as part of the application can
respond from a different external port than the one specified in the firewall configuration. This traffic might
not be allowed to traverse the firewall, depending on the configured access control policy (ACP) rules. If
available, an ALG could be used to accommodate such an application. The ALG would parse the
application layer payload for traffic from the initiating host, and create an appropriate pending policy
session to allow the expected response. With the release of R10.1.0, the IPv6 firewall incorporates two
additional configurable filtering behaviors that can take the place of such ALGs for certain applications.
The first additional method of firewall filtering is using address-dependent filtering. In this type of filtering,
return traffic from an external host to the initiating internal host is allowed from any port, but traffic
originating from any other external host will continue to be blocked. The second additional method of
firewall filtering is using endpoint-independent filtering. In this type of filtering, any external host can
respond to traffic from the initiating host from any port.
For more information about the configuration and use of IPv6 firewall filtering behaviors, refer to the
configuration guide Using IPv6 in AOS, available online at https://supportforums.adtran.com (article
number 3505).
Usage Examples
The following example specifies that on the default VRF instance TCP port 10000 and UDP port 40 are
filtered by endpoint-independent filtering and that TCP port 20000 and UDP port 30 are filtered by
address-dependent filtering:
(config)#ipv6 firewall filtering-behavior tcp 10000 endpoint-independent
(config)#ipv6 firewall filtering-behavior tcp 20000 address-dependent
(config)#ipv6 firewall filtering-behavior udp 30 address-dependent
(config)#ipv6 firewall filtering-behavior udp 40 endpoint-independent
60000CRG0-35E Copyright © 2012 ADTRAN, Inc. 1207