Dell PowerConnect B-RX Configuration Manual page 600

21
Configuring numbered and named ACLs
<operator>
<source-tcp/udp-port>
<destination-tcp/udp-port>
match-all <tcp-flags>
match-any <tcp-flags>
Filtering traffic with ICMP packets
Use the following parameters if you want to filter traffic that contains ICMP packets. These
parameters apply only if you specified icmp as the <ip-protocol> value.
528
Specifies a comparison operator for the TCP or UDP port number. You can enter one
of the following operators:
•
eq – The policy applies to the TCP or UDP port name or number you enter after
eq.
•
gt – The policy applies to TCP or UDP port numbers greater than the port
number or the numeric equivalent of the port name you enter after gt.
•
lt – The policy applies to TCP or UDP port numbers that are less than the port
number or the numeric equivalent of the port name you enter after lt.
•
neq – The policy applies to all TCP or UDP port numbers except the port number
or port name you enter after neq.
•
range – The policy applies to all TCP or UDP port numbers that are between the
first TCP or UDP port name or number and the second one you enter following
the range parameter. The range includes the port names or numbers you enter.
For example, to apply the policy to all ports between and including 23 (Telnet)
and 53 (DNS), enter the following: range 23 53. The first port number in the
range must be lower than the last number in the range.
•
established – This operator applies only to TCP packets. If you use this
operator, the policy applies to TCP packets that have the ACK (Acknowledgment)
or RST (Reset) bits set on (set to "1") in the Control Bits field of the TCP packet
header. Thus, the policy applies only to established TCP sessions, not to new
sessions. Refer to Section 3.1, "Header Format", in RFC 793 for information
about this field.
NOTE: This operator applies only to destination TCP ports, not source TCP ports.
Enter the source TCP or UDP port number.
Enter the destination TCP or UDP port number.
If you specified TCP for <ip-protocol>, you can specify which flags inside the TCP
header need to be matched. Specify any of the following flags for <tcp-flags>:
•
+ | – urg = Urgent
•
+ | – ack= Acknowledge
•
+ | – psh + Push
•
+ | – rst = Reset
•
+ | – syn = Synchronize
•
+ | – fin = Finish
Use a + or – to indicate if the matching condition requires the bit to be set to 1 (+) or
0 (–), separating each entry with a space.
Enter match-all if you want all the flags you specified to be matched from an
"established TCP session; use match-any of any of the flags will be matched.
BigIron RX Series Configuration Guide
53-1001986-01