Table of Contents
Advertisement
Command Reference Guide
allow reverse list
Use the allow reverse list command to specify an Internet Protocol version 4 (IPv4) access control list
(ACL) to determine which packets are allowed to enter the interface to which the IPv4 access control
policy (ACP) is assigned, and create a firewall association in the firewall. The allow reverse list command
is identical in function to the allow list command with the exception of the reverse keyword. The reverse
keyword instructs the firewall to use the source information as the destination information and vice versa
when attempting matches against the specified IPv4 ACL. This command is most useful when the IPv4
ACP is applied to an interface terminating a virtual private network (VPN) tunnel. The allow reverse list
allows the reuse of the IPv4 ACL defined as the VPN selector. Variations of this command include:
allow reverse list <ipv4 acl name>
allow reverse list <ipv4 acl name> policy <ipv4 acp name>
allow reverse list <ipv4 acl name> policy <ipv4 acp name> stateless
allow reverse list <ipv4 acl name> self
allow reverse list <ipv4 acl name> self stateless
allow reverse list <ipv4 acl name> stateless
Syntax Description
<ipv4 acl name>
policy <ipv4 acp name>
self
stateless
Default Values
By default, all AOS security features are disabled and there are no configured IPv4 ACP entries.
60000CRG0-35E
Specifies the IPv4 ACL against which to check traffic before allowing
packets to enter the interface. All packets not matched by the IPv4 ACL will
be processed by the next IPv4 ACP entry or implicitly discarded if no further
IPv4 ACP entries exist.
Optional. Specifies the destination IPv4 ACP against which to match traffic.
The firewall attempts to match the specified IPv4 ACP with the IPv4 ACP
that is applied to the packet's egress interface as determined by the routing
table or policy-based routing configuration. If there is a match, the firewall
will process the packet. If there is no match, the firewall will process the
packet based on the next IPv4 ACP entry or implicitly discard it if no further
IPv4 ACP entries exist.
Optional. Allows packets to pass that are permitted by the IPv4 ACL and
destined for any local interface on the unit. These packets are terminated by
the unit and are not routed or forwarded to other destinations. Using the
self keyword is helpful when opening up remote administrative access to
the unit (Telnet, secure shell (SSH), Internet Control Message Protocol
(ICMP), Web-based graphical user interface (GUI)).
Optional. Enables bypassing of stateful firewall processing and
application-level gateways (ALGs). Use for trusted traffic or traffic that the
firewall is incorrectly blocking as a perceived attack. Stateless processing is
helpful when passing traffic over VPN tunnels. Traffic sent over VPN tunnels
is purposely selected and encrypted; there is no need for additional
inspection of the traffic by the firewall. VPN configurations created using the
VPN Wizard in the GUI use stateless processing by default.
Copyright © 2012 ADTRAN, Inc.
IPv4 Access Control Policy Command Set
3149
Advertisement
Table of Contents
