3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

271

272

273

274

275

276

277

278

279

280

ACL Configuration Commands 279

operator: Optional, comparison between port numbers of source and destination

addresses. Their names and meanings are as follows: lt (lower than), gt (greater

than), eq (equal to), neq (not equal to) and range (between). If the operator is

range, two port numbers should follow it. Others only need one port number.

port1, port2: Optional, port number of TCP or UDP, expressed by name or number.

The number range is from 0 to 65535.

dscp dscp: Specifies a DSCP field, the DS byte in IP packets.

established: Compares all TCP packets with ACK and RST flags set, including

SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets. This option can compare

the traffic of the established TCP session, that is, filtering out initial TCP session

requests.

precedence: Optional, a number ranging from 0 to 7, or a name. Packets can be

filtered according to precedence field.

tos tos: Optional, a number ranging from 0 to 15 or a name. Packets can be

filtered according to type of service.

logging: Optional, indicating whether to log qualified packets. The log contents

include sequence number of ACL rule, packets passed or discarded, upper layer

protocol type over IP, source/destination address, source/destination port number,

and number of packets.

time-range time-name: Specifies that the ACL is valid in this time range.

fragment: Specifies that this rule is only valid for the fragment packets that are

not the first fragment. When this parameter is contained, it indicates that the rule

is only valid for the fragment packets that are not the first fragment.

interface interface-type interface-number: Specifies the interface information of

the packets. If no interface is specified, all interfaces can be matched. any

represents all interfaces.

In the undo rule command:

rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the

command is not followed by other parameters, this ACL rule will be deleted

completely; otherwise, only part of information related to this ACL rule will be

deleted.

source: Optional. Only the information settings related to the source address part

of the ACL rule number will be deleted.

destination: Optional. Only the information setting related to the destination

address part of the ACL rule number will be deleted.

source-port: Optional. Only the information setting related to the source port

part of the ACL rule number will be deleted, valid only when the protocol is TCP or

UDP.