Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

231

232

233

234

235

236

237

238

239

240

3. To permanently delete the policy, enter the ipfilter --save command.

IP Filter policy rules

An IP Filter policy consists of a set of rules. Each rule has an index number identifying the rule. There can be a maximum of 256 rules

within an IP Filter policy.

Each rule contains the following elements:

∙ Source Address: A source IP address or a group prefix.

∙ Destination Port: The destination port number or name, such as: Telnet, SSH, HTTP, HTTPS.

∙ Protocol: The protocol type. Supported types are TCP or UDP.

∙ Action: The filtering action taken by this rule, either Permit or Deny.

A traffic type and destination IP can also be specified

Source address

For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation. The group prefix has to be a CIDR

block prefix representation. For example, 208.130.32.0/24 represents a 24-bit IPv4 prefix starting from the most significant bit. The

special prefix 0.0.0.0/0 matches any IPv4 address. In addition, the keyword any is supported to represent any IPv4 address.

For an IPv6 filter policy, the source address has to be a 128-bit IPv6 address, in a format acceptable in RFC 3513. The group prefix has

to be a CIDR block prefix representation. For example, 12AB:0:0:CD30::/64 represents a 64-bit IPv6 prefix starting from the most

significant bit. In addition, the keyword any is supported to represent any IPv6 address.

Destination port

For the destination port, a single port number or a port number range can be specified. According to IANA ( http://www.iana.org ), ports 0

to 1023 are well-known port numbers, ports 1024 to 49151 are registered port numbers, and ports 49152 to 65535 are dynamic or

private port numbers. Well-known and registered ports are normally used by servers to accept connections, while dynamic port numbers

are used by clients.

For an IP Filter policy rule, you can only select port numbers in the well-known port number range, between 0 and 1023, inclusive. This

means that you have the ability to control how to expose the management services hosted on a switch, but not the ability to affect the

management traffic that is initiated from a switch. A valid port number range is represented by a dash, for example 7-30. Alternatively,

service names can also be used instead of port number. Table 46 lists the supported service names and their corresponding port

numbers.

TABLE 46 Supported services

Service name Port number

echo 7

discard

systat 11

daytime 13

netstat 15

chargen 19

ftp data 20

ftp 21

fsp 21

Configuring Security Policies

Brocade Fabric OS Administration Guide, 8.0.1

238 53-1004111-02