Manualshelf

User manual

ManualsBrandsAlvarion ManualsNetworkingBreezeNET B300 GigE
181182183184185186187188189190
Chapter 4 - Layer 3 Command Set - IP Networking Ipfw Command (IP Firewall)
Alvarion BreezeNET B130/B300 GigE 178 Operational User Manual
Address information is an IP-address with a mask (optional). IP-address should be
set in a traditional numeric format (nn.nn.nn.nn). An optional mask can be set
either as mask length in bits or as a numeric value in nnn.nnn.nnn.nnn format.
Possible formats for address information are the following:
nn.nn.nn.nn
nn.nn.nn.nn:xxx.xxx.xxx.xxx
nn.nn.nn.nn/NN
Using semicolon means that the mask is set in a numeric address format. Slash
symbol means that mask is set as a length in bit (number of first bits which are
set as "1", others are set as "0").
Example:
192.168.9.0/24 sets the network address 192.168.9.0 with 24 bits mask length.
Second option: 192.168.9.0:255.255.255.0.
"0/0" means all possible IP-addresses.
If you need to create a filter which is applied to several network addresses or
groups, it is more convenient to group all those addresses in one corresponding
access list and specify the list name as an IP-address ($ACLRULE)
There are several predefined dynamic ACL lists which cannot be built in any other
way.
$LOCAL list includes all local addresses owned by the device. This list can be
used for a convenient filter description which allow (or restrict) the access to the
device.
ipfw add accept all from 0/0 to $LOCAL
$ROUTE list contains system routes table excluding default route. When an
address matches this list it means that this address has some specific route and
default route will not be used in this case.
ipfw add reject all from 0/0 to not $ROUTE
For the interfaces which have physical MAC-addresses in Ethernet standard, it is
possible to use a value of MAC-address with a key word mac. At that for the
incoming filters one can set only the MAC-address of the source, and for outgoing
- only the MAC-address of the destination.
After from and to key words one can use a negative prefix not. Its action will
spread only on the corresponding address (addresses) but will not influence the
ports if they are used in the command.