- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Packet-Filter Firewall Commands
- 10-ALG Commands
- 11-Session Management Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-IP Source Guard Commands
- 14-ARP Attack Protection Commands
- 15-URPF Commands
- 16-COPS Commands
- 17-FIPS Commands
- 18-PKI Commands
- Related Documents
-
Title | Size | Download |
---|---|---|
09-Packet-Filter Firewall Commands | 89 KB |
Contents
Packet-filter firewall configuration commands
packet-filter forwarding-layer route outbound
|
NOTE: In this documentation, SPC cards refer to the cards prefixed with SPC, for example, SPC-GT48L. |
|
NOTE: · In this documentation, EF interface cards refer to the CR-SPC-XP8LEF, CR-SPC-XP4LEF, CR-SPC-GP48LEF, and CR-SPC-GT48LEF cards. · The firewall function is available only on EF interface cards. |
display port-mapping
Syntax
display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include } regular-expression ]
View
Default level
1: Monitor level
Parameters
application-name: Name of the application to be used for port mapping. Available applications include FTP, GPRS Tunneling Protocol Control (GTP-C), GPRS Tunneling Protocol User (GTP-U), GPRS Tunneling Protocol V0 (GTP-V0), H323, HTTP, RTSP, SCCP, SIP, SMTP, and SQLNET.
port port-number: Specifies to display port mapping information on the specified port. The port number is in the range of 0 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display port-mapping command to view port mapping information.
Related commands: port-mapping.
Examples
# Display all the information about port mapping.
<Sysname> display port-mapping
SERVICE PORT ACL TYPE
-------------------------------------------------
ftp 21 system defined
gtp-c 2123 system defined
gtp-u 2152 system defined
gtp-v0 3386 system defined
h323 1720 system defined
http 80 system defined
rtsp 554 system defined
sccp 2000 system defined
sip 5060 system defined
smtp 25 system defined
sqlnet 1521 system defined
http 8080 user defined
Table 1 Output description
Field |
Description |
SERVICE |
Application layer protocol that is mapped to a port |
PORT |
Number of the port for the application layer protocol |
ACL |
Number of the ACL specifying the host range |
TYPE |
Port mapping type, system predefined or user customized |
firewall packet-filter
Syntax
firewall packet-filter { acl-number | name acl-name } { inbound | outbound }
undo firewall packet-filter { acl-number | name acl-name } { inbound | outbound }
View
Interface view (Layer 2 Ethernet interface, Layer 3 Ethernet interface, VLAN interface, ATM interface, POS interface, serial interface, MP-group, MFR)
Default level
2: System level
Parameters
acl-number: Specifies an IPv4 ACL by its number, which is in the range of 2000 to 2999 for a basic ACL, 3000 to 3999 for an advanced ACL, or 4000 to 4999 for an Ethernet frame header ACL.
name acl-name: Specifies a basic or an advanced IPv4 ACL by its name. acl-name is a case-insensitive string of 1 to 32 characters that starts with an English letter (a to z or A to Z). To avoid confusion, the word “all” cannot be used as the ACL name.
inbound: Filters packets received by the interface.
outbound: Filters packets forwarded from the interface.
Description
Use the firewall packet-filter command to configure IPv4 packet filtering on the interface.
Use the undo firewall packet-filter command to cancel the configuration.
Packets are not filtered on an interface by default.
You can configure multiple IPv4 packet filtering ACLs in the inbound or outbound direction of an interface. These ACLs take effect simultaneously.
|
NOTE: The rule you add to an ACL that has been used by the firewall packet-filter command cannot take effect if hardware resources are insufficient or the firewall packet-filter command does not support the rule. Such rules are marked as uncompleted in the output of the display acl { acl-number | all | name acl-name } slot slot-number command. To successfully apply the rule, you must delete the rule and then reconfigure it when hardware resources are sufficient. For more information about ACL, see ACL and QoS Configuration Guide. |
Examples
# Apply ACL 2001 on Serial 3/1/9/1:2 to filter outbound packets.
<Sysname> system-view
[Sysname] interface serial 3/1/9/1:2
[Sysname-Serial3/1/9/1:2] firewall packet-filter 2001 outbound
firewall packet-filter ipv6
Syntax
firewall packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }
undo firewall packet-filter ipv6 { acl-number | name acl-name } { inbound | outbound }
View
Interface view (Layer 2 Ethernet interface, Layer 3 Ethernet interface, VLAN interface, ATM interface, POS interface, serial interface, MP-group, MFR)
Default level
2: System level
Parameters
acl-number: Specifies an IPv6 ACL by its number, which is in the range of 2000 to 2999 for a basic ACL, or 3000 to 3999 for an advanced ACL.
name acl6-name: Specifies a basic or an advanced IPv6 ACL by its name. acl6-name is a case-insensitive string of 1 to 32 characters that starts with an English letter (a to z or A to Z). To avoid confusion, the word “all” cannot be used as the ACL name.
inbound: Specifies to filter packets received by the interface.
outbound: Specifies to filter packets forwarded by the interface.
Description
Use the firewall packet-filter ipv6 command to configure IPv6 packet filtering on the interface.
Use the undo firewall packet-filter ipv6 command to remove the IPv6 packet filtering setting on the interface.
By default, IPv6 packets are not filtered on the interface.
You can configure multiple IPv6 packet filtering ACLs in the inbound or outbound direction of an interface. These ACLs take effect simultaneously.
|
NOTE: The rule you add to an ACL that has been used by the firewall packet-filter ipv6 command cannot take effect if hardware resources are insufficient or the firewall packet-filter ipv6 command does not support the rule. Such rules are marked as uncompleted in the output of the display acl { acl-number | all | name acl-name } slot slot-number command. To successfully apply the rule, you must delete the rule and then reconfigure it when hardware resources are sufficient. For more information about ACL, see ACL and QoS Configuration Guide. |
Examples
# Apply IPv6 ACL 2500 on interface GigabitEthernet 3/1/1 to filter outbound IPv6 packets.
<Sysname> system-view
[Sysname] interface gigabitEthernet 3/1/1
[Sysname- GigabitEthernet3/1/1] firewall packet-filter ipv6 2500 outbound
packet-filter forwarding-layer route outbound
Syntax
packet-filter forwarding-layer route outbound
undo packet-filter forwarding-layer route outbound
System view
Default level
2: System level
Parameters
None
Description
Use the packet-filter forwarding-layer route outbound command to set the outbound packet filtering on VLAN interfaces on an SPC card to filter only Layer 3 unicast packets. After you execute this command, the firewall packet-filter outbound command on a VLAN interface filters only Layer 3 unicast packets.
Use the undo packet-filter forwarding-layer route outbound command to restore the default.
By default, an outbound packet filter on a VLAN interface on an SPC card filters all packets, including Layer 2 packets.
When you use the packet-filter forwarding-layer route outbound command or its undo form to specify the outbound packet filter on a VLAN interface to filter only Layer 3 unicast packets or all packets, follow these guidelines:
· The packet-filter forwarding-layer route outbound command is available only for SPC cards.
· The packet-filter forwarding-layer route outbound or its undo form must be configured before the firewall packet-filter { acl-number | name acl-name } outbound command. If you have configured the firewall packet-filter { acl-number | name acl-name } outbound command on a VLAN interface on an SPC card, you must remove the packet filter setting, configure the packet-filter forwarding-layer route outbound or its undo form, and then re-configure the firewall packet-filter { acl-number | name acl-name } outbound command on the VLAN interface.
· The packet-filter forwarding-layer route outbound command can cause the switch to discard BFD packets. To avoid this problem, configure an advanced IPv4 ACL rule by using the rule [ rule-id ] permit udp destination-port range 3784 3785 command to permit BFD packets.
Examples
# Apply IPv4 ACL 2001 to filter only outbound Layer 3 unicast packets on VLAN-interface 2 on an SPC card.
<Sysname> system-view
[Sysname] packet-filter forwarding-layer route outbound
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] firewall packet-filter 2001 outbound
port-mapping
Syntax
port-mapping application-name port port-number [ acl acl-number ]
undo port-mapping [ application-name port port-number [ acl acl-number ] ]
View
System view
Default level
2: System level
Parameters
application-name: Name of the application for port mapping. Available applications include FTP, GTP-C, GTP-U, GTP-V0, H323, HTTP, RTSP, SCCP, SIP, SMTP, and SQLNET.
port port-number: Specifies the port that the application layer protocol is mapped to. The port number is in the range of 0 to 65535.
acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999.
Description
Use the port-mapping command to map a port to an application layer protocol.
Use the undo port-mapping command to remove a port mapping entry.
By default, there is no mapping between the port and the application layer.
Related commands: display port-mapping.
Examples
# Map port 3456 to the FTP protocol.
<Sysname> system-view
[Sysname] port-mapping ftp port 3456