Ubiquiti EDGESWITCH ES-24-250W Command Reference Manual page 395

EdgeSwitch CLI Command Reference
{{range
{portkey|startport}
{portkey|endport}
| {eq|neq|lt|gt}
{portkey|0-65535}]
dstip dstmask |
any |
host dstip
precedence precedence |
tos tos [tosmask] |
dscp dscp
flag [+fin | -fin]
[+syn | -syn]
[+rst | -rst]
[+psh | -psh]
[+ack | -ack]
[+urg | -urg]
[established]
icmp-type icmp-type
[icmp-code icmp-
code] | icmp-message
icmp-message
igmp-type igmp-type
fragments
log
Ubiquiti Networks, Inc.
Table 14. ACL Command Parameters (Continued)
Note: This option is available only if the protocol is TCP or UDP.
Specifies the source Layer-4 port match condition for the IP ACL rule. You can use the port number,
which ranges from 0-65535, or you specify the portkey, which can be one of the following keywords:
• For TCP: bgp, domain, echo, ftp, ftp-data, http, smtp, telnet, www, pop2, pop3.
• For UDP: domain, echo, ntp, rip, snmp, tftp, time, and who.
For both TCP and UDP, each of these keywords translates into its equivalent port number, which is
used as both the start and end of a port range.
range
If is specified, the IP ACL rule matches only if the Layer-4 port number falls within the
startport
specified port range. The
that are part of the port range. They have values from 0 to 65535. The ending port must have a value
equal or greater than the starting port. The starting port, ending port, and all ports in between will be
part of the Layer-4 port range.
eq
When is specified, the IP ACL rule matches only if the Layer-4 port number is equal to the
specified port number or portkey.
lt
When is specified, the IP ACL rule matches if the Layer-4 port number is less than the specified
port number or portkey. It is equivalent to specifying a range of 0-<specified port number-1>.
gt
When is specified, the IP ACL rule matches if the Layer-4 port number is greater than the specified
port number or portkey. It is equivalent to specifying a range of <specified port number+1>-65535.
neq
When is specified, the IP ACL rule matches only if the Layer-4 port number is not equal to the
specified port number or portkey.
Two rules are added in the hardware one with range equal to 0-<specified port number-1> and one
with range equal to <specified port number+1>-65535.
Note: Port number matches only apply to unfragmented or first fragments.
Specifies a destination IP address and netmask for match condition of the IP ACL rule.
any
Specifying implies a destination IP of 0.0.0.0 and destination mask of 255.255.255.255.
host A.B.C.D
Specifying implies a destination IP of A.B.C.D and destination mask of 0.0.0.0.
Specifies the TOS for an IP ACL rule depending on a match of precedence or DSCP values using the
parameters dscp, precedence, tos/tosmask.
tosmask
Note: is an optional parameter.
This option is available only if the protocol is tcp.
Note:
Specifies that the IP ACL rule matches on the TCP flags.
When +fin, +syn, +rst, +psh, +ack, or
is set in the TCP header.
When -fin, -syn, -rst, -psh, -ack, or
is not set in the TCP header.
established
When is specified, a match occurs if the specified RST or ACK bits are set in the TCP
header. Two rules are installed in the hardware when the established option is specified.
This option is available only if the protocol is icmp.
Note:
Specifies a match condition for ICMP packets.
icmp-type
When is specified, the IP ACL rule matches on the specified ICMP message type, a
number from 0 to 255.
icmp-code
When is specified, the IP ACL rule matches on the specified ICMP message code, a
number from 0 to 255.
icmp-message
Specifying implies that both
following icmp-messages are supported: echo, echo-reply, host-redirect,
redirect, net-redirect, net-unreachable, redirect, packet-too-big,
unreachable, source-quench, router-solicitation, router-advertisement,
time-exceeded, ttl-exceeded
This option is available only if the protocol is IGMP.
igmp-type
When is specified, the IP ACL rule matches on the specified IGMP message type, a
number from 0 to 255.
Specifies that the IP ACL rule matches on fragmented IP packets.
Specifies that this rule is to be logged.
Quality of Service Commands
endport
and parameters identify the first and last ports
+urg
is specified, a match occurs if the specified flag
-urg
is specified, a match occurs if the specified flag
icmp-type icmp-code
and
and unreachable.
are specified. The
mobile-
port-
395