- Enterasys Security Router User's Guide
Firewall CLI Commands
16-20 Configuring Security on the XSR
– Non-Unicast packet handling - Packets with broadcast or multicast destination addresses are
not allowed to pass in either direction - they must be allowed explicitly.
– This rule makes it easy to deny access to IP broadcast/multicast packets through the
firewall but to allow access, you must issue the
ip firewall ip-broadcast or ip
firewall ip-multicast
commands as well as set policy.
– IP Packets with options - Packets with options are dropped either way by default. You must
permit options explicitly either way.
• Naming conventions - Any firewall object name must use these alpha-numeric characters only:
A - Z (upper or lower case), 0 - 9, - (dash), or _ (underscore). Also, all firewall object names are
case-sensitive.
• TCP/UDP/ICMP Filter - Filters TCP, UDP, or ICMP packets and assigns an idle session timeout
for their inspection with
ip firewall tcp, ip firewall udp, and ip firewall icmp.
• Non-TCP/UDP Filter - Defines packet filtering of non-TCP and UDP protocols with ip
firewall filter
. Because these packets are dropped by default, to allow any other IP
protocol packet to pass through the firewall you must specify a filter object with the correct
source/destination IP address and IP protocol ID.
• Java and ActiveX - Allows HTML pages with Java and ActiveX content through the firewall
with the
ip firewall java and ip firewall activex commands. Options include
allowing from all or selected IP addresses, or denying from any IP address.
• System Filter - Specifies Interface mode filtering with the
ip firewall ip-options (for loose
or strict routing through the Internet, trace routes or record time stamps),
ip-broadcast (for
DHCP, e.g.),
and ip-multicast (for routing) commands.
• Enable/Disable - Turns firewall on or off with
ip firewall {enable | disable}. The firewall
is set per interface or globally and is disabled on all interfaces, by default. If the firewall is
globally disabled, a local enable is ignored and if globally enabled, all interfaces are “on”
unless you explicitly disable each port.
Enable displays in running-config, but not disable.
• Load - Installs the completed firewall configuration in the XSR’s inspection engine with
ip
firewall load
. This command avoids conflicts with existing sessions by clearing them. But,
before doing so you can perform a trial load to verify settings or configure incrementally and
check for errors between loads. You can view modified settings before loading with
show ip
firewall config
. Also, the delay load option schedules a load and show ip firewall
general
displays an outstanding delay and when it will run. Be aware that you must copy the
running-config to startup-config file to save any changes. Commands entered at the CLI
are not in the configuration until the
load command is invoked, so if you omit a load and save
the
running- to startup-config file, the commands you entered will not display. Several
other
show commands display various objects that are in effect, that is, those that have been
loaded (refer to the following bullet).
• Display Commands - A host of firewall
show commands are available to display firewall
attributes for each firewall configuration command. Also,
show ip firewall config
displays the as yet un-committed configuration,
show ip firewall sessions displays
dynamic TCP, UDP and ICMP session data, and
show ip firewall general displays
summary system firewall statistics such as the status of the firewall, protected and
unprotected interfaces, sessions counters, and number of DoS attacks.
Caution: Performing a load requires that you re-establish all TCP connections including Telnet
sessions and PKI links to the Certificate Authority. Also, firewall configuration changes are
blocked during a load delay.