Contents

Firewall configuration commands· 1

Packet-filter firewall configuration commands· 1

display firewall ipv6 statistics· 1

display firewall-statistics· 2

firewall default 3

firewall enable· 3

firewall ipv6 default 4

firewall ipv6 enable· 4

firewall packet-filter (interface view) 5

firewall packet-filter (user-profile view) 5

firewall packet-filter ipv6· 6

reset firewall ipv6 statistics· 7

reset firewall-statistics· 7

ASPF configuration commands· 8

aspf-policy· 8

display aspf all 8

display aspf interface· 10

display aspf policy· 10

display port-mapping· 11

firewall aspf (interface) 12

firewall aspf (user-profile view) 13

icmp-error drop· 13

port-mapping· 14

tcp syn-check· 15

 

Firewall configuration commands

Packet-filter firewall configuration commands

Support for the packet-filter firewall commands depends on the device model. For more information, see About the H3C Access Controllers Command References.

display firewall ipv6 statistics

Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall.

Syntax

display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.

interface interface-type interface-number: Displays the packet filtering statistics of the specified interface of the IPv6 firewall.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the packet filtering statistics of the IPv6 firewall.

<Sysname> display firewall ipv6 statistics interface Vlan-interface 100

  Interface: Vlan-interface100

  In-bound Policy: acl6 2000

  From 2013-06-04 10:25:21  to 2013-06-04 10:35:57

     0 packets, 0 bytes, 0% permitted

     0 packets, 0 bytes, 0% denied

     0 packets, 0 bytes, 0% permitted default

     0 packets, 0 bytes, 0% denied default

  Totally 0 packets, 0 bytes, 0% permitted

  Totally 0 packets, 0 bytes, 0% denied

Table 1 Command output

Field	Description
Interface	Interface configured with the IPv6 packet filtering function.
In-bound Policy	IPv6 ACL configured in the inbound direction of the interface.
Out-bound Policy	IPv6 ACL configured in the outbound direction of the interface.
acl6	IPv6 ACL number.
0 packets, 0 bytes, 0% permitted	Counts for packets permitted by IPv6 ACL rules: the number of packets and bytes, and the percentage of the permitted to the total.
0 packets, 0 bytes, 0% denied	Counts for packets denied by IPv6 ACL rules: the number of packets and bytes, and the percentage of the denied to the total.
0 packets, 0 bytes, 0% permitted default	Counts for packets that matched no IPv6 ACL rule and were permitted by the default filtering rule: number of packets and bytes, and the percentage of the permitted to the total.
0 packets, 0 bytes, 0% denied default	Counts for packets that matched no IPv6 ACL rule and were denied by the default filtering rule: number of packets and bytes, and the percentage of the denied to the total.
Totally 0 packets, 0 bytes, 0% permitted	Counts for all permitted packets: the number of packets and bytes, and the percentage of all the permitted to the total.
Totally 0 packets, 0 bytes, 0% denied	All denied packets: the number of packets and bytes, and the percentage of all the denied to the total.

 

display firewall-statistics

Use display firewall-statistics to view the packet filtering statistics of the IPv4 firewall.

Syntax

display firewall-statistics { all | interface interface-type interface-number | user-profile user-profile-name } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

all: Displays all packet filtering statistics of the IPv4 firewall.

interface interface-type interface-number: Displays the packet filtering statistics on the specified interface of the IPv4 firewall.

user-profile user-profile-name: Displays packet filtering statistics about the user profile specified by its name, a case-sensitive string of 1 to 31 characters. For more information about user profiles, see Security Configuration Guide.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display all packet filtering statistics of the firewall.

<Sysname> display firewall-statistics all

  Firewall is enable, default filtering method is 'permit'.

 

  Interface: Vlan-interface3

  In-bound Policy: acl 3001

  From 2012-11-11 14:03:44 to 2012-11-11 14:07:41

     0 packets, 0 bytes, 0% permitted,

     0 packets, 0 bytes, 0% denied,

     0 packets, 0 bytes, 0% permitted default,

     0 packets, 0 bytes, 0% denied default,

  Totally 0 packets, 0 bytes, 0% permitted,

  Totally 0 packets, 0 bytes, 0% denied.

 

firewall default

Use firewall default to specify the default firewall filtering action of the IPv4 firewall.

Syntax

firewall default { deny | permit }

Default

The default filtering action of the IPv4 firewall is permitting packets to pass (permit).

Views

System view

Default command level

2: System level

Parameters

deny: Denies packets to pass the firewall.

permit: Permits packets to pass the firewall.

Examples

# Specify the default filtering action of the IPv4 firewall as denying packets to pass.

<Sysname> system-view

[Sysname] firewall default deny

firewall enable

Use firewall enable to enable the IPv4 firewall function.

Use undo firewall enable to disable the IPv4 firewall function.

Syntax

firewall enable

undo firewall enable

Default

The IPv4 firewall function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the IPv4 firewall function.

<Sysname> system-view

[Sysname] firewall enable

firewall ipv6 default

Use firewall ipv6 default to specify the default firewall filtering action of the IPv6 firewall.

Syntax

firewall ipv6 default { deny | permit }

Default

The default filtering action of IPv6 firewall is permitting packets to pass (permit).

Views

System view

Default command level

2: System level

Parameters

deny: Denies packets to pass the firewall.

permit: Permits packets to pass the firewall.

Examples

# Specify the default filtering action of the IPv6 firewall as denying packets to pass.

<Sysname> system-view

[Sysname] firewall ipv6 default deny

firewall ipv6 enable

Use firewall ipv6 enable to enable the IPv6 firewall function.

Use undo firewall ipv6 enable to disable the IPv6 firewall function.

Syntax

firewall ipv6 enable

undo firewall ipv6 enable

Default

The IPv6 firewall function is disabled.

Views

System view

Default command level

2: System level

Examples

# Enable the IPv6 firewall function.

<Sysname> system-view

[Sysname] firewall ipv6 enable

firewall packet-filter (interface view)

Use firewall packet-filter to apply an IPv4 ACL to an interface to filter packets.

Use undo firewall packet-filter to cancel the configuration.

Syntax

firewall packet-filter { acl-number | name acl-name } { inbound | outbound }

undo firewall packet-filter { acl-number | name acl-name } { inbound | outbound }

Default

An interface does not filter packets.

Views

Interface view

Default command level

2: System level

Parameters

acl-number: Specifies a basic ACL number in the range of 2000 to 2999, or an advanced ACL number in the range of 3000 to 3999.

name acl-name: Specifies a basic or an advanced IPv4 ACL by its name, a case-insensitive string of 1 to 63 characters that must start with an alphabetical character. To avoid confusion, the word all cannot be used as the ACL name.

inbound: Filters incoming packets of the interface.

outbound: Filters outgoing packets of the interface.

Usage guidelines

You can apply only one IPv4 ACL in one direction of an interface to filter packets.

Examples

# Apply ACL 2001 to interface WLAN-ESS 1 to filter outbound packets.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] firewall packet-filter 2001 outbound

firewall packet-filter (user-profile view)

Use firewall packet-filter to apply an IPv4 ACL to a user profile to filter packets.

Use undo firewall packet-filter to cancel the configuration.

Syntax

firewall packet-filter { acl-number | name acl-name } { inbound | outbound }

undo firewall packet-filter { acl-number | name acl-name } { inbound | outbound }

Default

No ACL is applied to filter packets of any user.

Views

User profile view

Default command level

2: System level

Parameters

acl-number: Specifies a basic ACL number in the range of 2000 to 2999, or an advanced ACL number in the range of 3000 to 3999.

name acl-name: Specifies a basic or an advanced IPv4 ACL by its name, a case-insensitive string of 1 to 63 characters. It must start with an alphabetical character. To avoid confusion, the word all cannot be used as the ACL name.

inbound: Filters packets received from a user.

outbound: Filters packets sent to a user.

Usage guidelines

After a user passes authentication and is authorized with a user profile configured with an ACL packet-filter firewall, the packets received or sent by the user are filtered by the firewall.

In user profile view, you can apply only one ACL to filter packets in one direction.

Examples

# Apply ACL 2001 to user profile aaa to filter packets received from a user.

<Sysname> system-view

[Sysname] user-profile aaa

[Sysname-user-profile-aaa] firewall packet-filter 2001 inbound

firewall packet-filter ipv6

Use firewall packet-filter ipv6 to configure IPv6 packet filtering on the interface.

Use undo firewall packet-filter ipv6 to remove the IPv6 packet filtering setting on the interface.

Syntax

firewall packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }

undo firewall packet-filter ipv6 [ { acl6-number | name acl6-name } ] { inbound | outbound }

Default

IPv6 packets are not filtered on the interface.

Views

Interface view

Default command level

2: System level

Parameters

acl6-number: Specifies a basic IPv6 ACL number in the range of 2000 to 2999, or an advanced IPv6 ACL number in the range of 3000 to 3999.

name acl6-name: Specifies a basic or an advanced IPv6 ACL by its name, a case-insensitive string of 1 to 32 characters that must start with an alphabetical character. To avoid confusion, the word all cannot be used as the ACL name.

inbound: Filters incoming packets of the interface.

outbound: Filters outgoing packets of the interface.

Usage guidelines

You can apply only one IPv6 ACL in one direction of an interface.

Examples

# Apply IPv6 ACL 2500 to VLAN-interface 100 to filter outbound IPv6 packets.

<Sysname> system-view

[Sysname] interface Vlan-interface 100

[Sysname-Vlan-interface100] firewall packet-filter ipv6 2500 outbound

reset firewall ipv6 statistics

Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall.

Syntax

reset firewall ipv6 statistics { all | interface interface-type interface-number }

Views

User view

Default command level

1: Monitor level

Parameters

all: Clears the packet filtering statistics on all interfaces of the IPv6 firewall.

interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of the IPv6 firewall.

Examples

# Clear the packet filtering statistics on VLAN-interface 100 of the IPv6 firewall.

<Sysname> reset firewall ipv6 statistics interface Vlan-interface 100

Related commands

display firewall ipv6 statistics

reset firewall-statistics

Use reset firewall-statistics to clear packet filtering statistics of the IPv4 firewall.

Syntax

reset firewall-statistics { all | interface interface-type interface-number | user-profile user-profile-name }

Views

User view

Default command level

1: Monitor level

Parameters

all: Clears all packet filtering statistics of the IPv4 firewall.

interface interface-type interface-number: Clears packet filtering statistics on the specified interface of the IPv4 firewall.

user-profile user-profile-name: Clears packet filtering statistics about the user profile specified by its name, a case-sensitive string of 1 to 31 characters. For more information about user profiles, see Security Configuration Guide.

Examples

# Clear packet filtering statistics of IPv4 firewall on interface WLAN-DBSS 1:4.

<Sysname> reset firewall-statistics interface WLAN-DBSS 1:4

ASPF configuration commands

Support for the ASPF configuration commands depends on the device model. For more information, see About the H3C Access Controllers Command References.

aspf-policy

Use aspf-policy to create an ASPF policy and enter its view.

Use undo aspf-policy to remove an ASPF policy.

Syntax

aspf-policy aspf-policy-number

undo aspf-policy aspf-policy-number

Views

System view

Default command level

2: System level

Parameters

aspf-policy-number: ASPF policy number, in the range of 1 to 99

Usage guidelines

A defined ASPF policy can be applied through its policy number.

Examples

# Create an ASPF policy and enter the corresponding ASPF policy view.

<Sysname> system-view

[Sysname] aspf-policy 1

[Sysname-aspf-policy-1]

display aspf all

Use display aspf all to view the information of all the ASPF policies and sessions.

Syntax

display aspf all [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about all ASPF policies.

<Sysname> display aspf all

[ASPF Policy Configuration]

  Policy Number 1:

    icmp-error drop

    tcp syn-check

  Policy Number 2:

    undo icmp-error drop

    undo tcp syn-check

 

[Interface Configuration]

   Interface                      InboundPolicy   OutboundPolicy

 ---------------------------------------------------------------

   WLAN-ESS1                      1               2

Table 2 Command output

Field	Description
[ASPF Policy Configuration]	ASPF policy configuration information.
Policy Number	ASPF policy number.
icmp-error drop	Drop ICMP error messages.
tcp syn-check	Drop any non-SYN packet that is the first packet over a TCP connection.
undo icmp-error drop	Do not drop ICMP error messages.
undo tcp syn-check	Do not drop a non-SYN packet that is the first packet over a TCP connection.
[Interface Configuration]	ASPF policy application information of interface.
Interface	Type and number of the interface.
InboundPolicy	Inbound ASPF policy.
OutboundPolicy	Outbound ASPF policy.

 

display aspf interface

Use display aspf interface to view the ASPF policy configuration applied on interfaces.

Syntax

display aspf interface [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the ASPF policies on interfaces.

<Sysname> display aspf interface

[Interface Configuration]

   Interface                      InboundPolicy   OutboundPolicy

 ---------------------------------------------------------------

   WLAN-ESS1                      1               0

Table 3 Command output

Field	Description
InboundPolicy	Inbound ASPF policy.
OutboundPolicy	Outbound ASPF policy.

 

display aspf policy

Use display aspf policy to view the information of an ASPF policy.

Syntax

display aspf policy aspf-policy-number [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

aspf-policy-number: ASPF policy number, in the range of 1 to 99

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

#  Display ASPF policy 1

<Sysname> display aspf policy 1

[ASPF Policy Configuration]

  Policy Number 1:

    icmp-error drop

    tcp syn-check

Table 4 Command output

Field	Description
[ASPF Policy Configuration]	ASPF policy configuration information.
Policy Number	ASPF policy number.
icmp-error drop	Drop ICMP error messages.
tcp syn-check	Drop non-SYN packet that is the first packet over a TCP connection.
undo icmp-error drop	Do not drop ICMP error messages.
undo tcp syn-check	Do not drop a non-SYN packet that is the first packet over a TCP connection.

 

display port-mapping

Use display port-mapping to view port mapping information.

Syntax

display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

application-name: Name of the application to be used for port mapping. Available applications include FTP, GPRS Tunneling Protocol Control (GTP-C), GPRS Tunneling Protocol User (GTP-U), GPRS Tunneling Protocol V0 (GTP-V0), H323, HTTP, RTSP, SCCP, SIP, SMTP, and SQLNET.

port port-number: Specifies to display port mapping information on the specified port. The port number is in the range of 0 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display all the information about port mapping.

<Sysname> display port-mapping

  SERVICE    PORT       ACL        TYPE

 -------------------------------------------------

  ftp          21                  system defined

  gtp-c      2123                  system defined

  gtp-u      2152                  system defined

  gtp-v0     3386                  system defined

  h323       1720                  system defined

  http         80                  system defined

  rtsp        554                  system defined

  sccp       2000                  system defined

  sip        5060                  system defined

  smtp         25                  system defined

  sqlnet     1521                  system defined

Table 5 Command output

Field	Description
SERVICE	Application layer protocol that is mapped to a port.
PORT	Number of the port for the application layer protocol.
ACL	Number of the ACL specifying the host range.
TYPE	Port mapping type, system predefined or user customized.

 

Related commands

port-mapping

firewall aspf (interface)

Use firewall aspf to apply an ASPF policy to the interface.

Use undo firewall aspf to remove an ASPF policy from the interface.

Syntax

firewall aspf aspf-policy-number { inbound | outbound }

undo firewall aspf aspf-policy-number { inbound | outbound }

Default

No ASPF policy is applied to an interface.

Views

Interface view

Default command level

2: System level

Parameters

aspf-policy-number: Number of the ASPF policy, in the range of 1 to 99.

inbound: Applies ASPF policy to packets received from a user.

outbound: Applies ASPF policy to packets sent to a user.

Examples

# Apply ASPF policy 1 to the outbound direction of interface WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] firewall aspf 1 outbound

firewall aspf (user-profile view)

Use firewall aspf to apply an ASPF policy to a user profile.

Use undo firewall aspf to cancel the application.

Syntax

firewall aspf aspf-policy-number { inbound | outbound }

undo firewall aspf aspf-policy-number { inbound | outbound }

Default

No ASPF policy is applied to a user profile.

Views

User profile view

Default command level

2: System level

Parameters

aspf-policy-number: Number of the ASPF policy, in the range of 1 to 99.

inbound: Applies ASPF policy to inbound packets.

outbound: Applies ASPF policy to outbound packets.

Usage guidelines

After a user passes authentication and is authorized with a user profile configured with an ASPF policy, the packets received or sent by the user are inspected according to the ASPF policy.

Usually, authenticated users to be protected by the firewall reside in the internal network. Therefore, to inspect and filter packets from the internal network to the external network, apply an ASPF policy to the inbound direction, and to inspect and filter packets from the external network to the internal network, apply an ASPF policy to the outbound direction.

Examples

# Apply ASPF policy 1 to user profile aaa to filter packets sent to a user.

<Sysname> system-view

[Sysname] user-profile aaa

[Sysname-user-profile-aaa] firewall aspf 1 outbound

icmp-error drop

Use icmp-error drop to specify to drop ICMP error messages.

Use undo icmp-error drop to restore the default.

Syntax

icmp-error drop

undo icmp-error drop

Default

ICMP error messages are not dropped.

Views

ASPF policy view

Default command level

2: System level

Examples

# Configure ASPF policy 1 to drop ICMP error messages.

<Sysname> system-view

[Sysname] aspf-policy 1

[Sysname-aspf-policy-1] icmp-error drop

Related commands

aspf-policy

port-mapping

Use port-mapping to map a port to an application layer protocol.

Use undo port-mapping to remove a port mapping entry.

Syntax

port-mapping application-name port port-number [ acl acl-number ]

undo port-mapping [ application-name port port-number [ acl acl-number ] ]

Default

There is no mapping between the port and the application layer.

Views

System view

Default command level

2: System level

Parameters

application-name: Name of the application for port mapping. Available applications include FTP, GTP-C, GTP-U, GTP-V0, H323, HTTP, RTSP, SCCP, SIP, SMTP, and SQLNET.

port port-number: Specifies the port that the application layer protocol is mapped to. The port number is in the range of 0 to 65535.

acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of 2000 to 2999.

Examples

# Map port 3456 to the FTP protocol.

<Sysname> system-view

[Sysname] port-mapping ftp port 3456

Related commands

display port-mapping

tcp syn-check

Use tcp syn-check to configure ASPF to drop any non-SYN packet that is the first packet over a TCP connection.

Use undo tcp syn-check to restore the default.

Syntax

tcp syn-check

undo tcp syn-check

Default

A non-SYN packet that is the first packet over a TCP connection is not dropped.

Views

ASPF policy view

Default command level

2: System level

Examples

# Configure ASPF policy 1 to drop any non-SYN packet which is the first packet over a TCP connection.

<Sysname> system-view

[Sysname] aspf-policy 1

[Sysname-aspf-policy-1] tcp syn-check

Related commands

aspf-policy