Reference Guide
The FORWARD traffic type allows management of bidirectional traffic between the external management interface and the inband
management interface. In this case, the destination IP element should also be specified.
Implicit filter rules
For every IP Filter policy, the two rules listed in Table 47 are always assumed to be appended implicitly to the end of the policy. This
ensures that TCP and UDP traffic to dynamic port ranges is allowed, so that management IP traffic initiated from a switch, such as
syslog, radius and ftp, is not affected.
TABLE 47 Implicit IP Filter rules
Source address Destination port Protocol Action
Any 1024-65535 TCP Permit
Any 1024-65535 UDP Permit
Default policy rules
Switches have a default IP Filter policy for IPv4 and IPv6. The default IP Filter policy cannot be deleted or changed. When an alternative
IP Filter policy is activated, the default IP Filter policy becomes deactivated. Table 48 lists the rules of the default IP Filter policy.
TABLE 48 Default IP policy rules
Rule number Source address Destination port Protocol Action
1 Any 22 TCP Permit
2 Any 23 TCP Permit
6 Any 80 TCP Permit
3 Any 443 TCP Permit
4 Any 161 UDP Permit
10 Any 123 UDP Permit
11
4
Any 600-1023 TCP Permit
12
4
Any 600-1023 UDP Permit
IP Filter policy enforcement
An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic passes through
the active IPv4 filter policy, and IPv6 management traffic passes through the active IPv6 filter policy. The IP Filter policy applies to the
incoming (ingress) management traffic only. When a packet arrives, it is compared against each rule, starting from the first rule. If a match
is found for the source address, destination port, and protocol, the corresponding action for this rule is taken, and the subsequent rules in
this policy are ignored. If there is no match, then it is compared to the next rule in the policy. This process continues until the incoming
packet is compared to all rules in the active policy.
If none of the rules in the policy matches the incoming packet, the two implicit rules are matched to the incoming packet. If the rules still
do not match the packet, the default action, which is to deny, is taken.
When the IPv4 or IPv6 address for the management interface of a switch is changed through the ipAddrSet command or manageability
tools, the active IP Filter policies automatically become enforced on the management IP interface with the changed IP address.
4
None of the RPC ports are configurable, even though the action shows "Permit".
Configuring Security Policies
Brocade Fabric OS Administration Guide, 8.0.1
240 53-1004111-02