3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
304 CHAPTER 18: FIREWALL CONFIGURATION COMMANDS
Example
# Configure the high threshold for fragment packet inspection to 3000 and
configure the low threshold to the default value.
[SecBlade_FW] firewall packet-filter fragments-inspect high 3000
[SecBlade_FW] firewall packet-filter fragments-inspect low default
firewall packet-filter Syntax
firewall packet-filter acl-number { inbound | outbound } [ match-fragments {
normally | exactly } ]
undo firewall packet-filter acl-number { inbound | outbound }
View
Interface view
Parameter
acl-number: Serial number of access control list rule.
inbound: Filters the packet received on the interface.
outbound: Filters the packet sent on the interface.
match-fragments: Specify the matching mode of fragments. This parameter can
only be applied to advanced ACLs.
Packet-filtering on Comware platform can filter fragment packets, which matches
and filters all fragment packets on the third layer (IP layer) by source IP address,
destination IP address etc. It also provides standard matching and exact matching
for advanced ACL rules that contain extended information such as TCP/UDP port
number and type of ICMP. The standard matching matches information of the
third layer, Information that is not of the third layer will be ignored. The exact
matching matches packets according to all advanced ACL rules. To do this, the
firewall must be able to store the state of the first fragment packet to get the
whole matching information of the followed fragments. The standard matching is
the default.
normally: Normal matching mode, the default mode. This parameter is only
available for the advanced ACLs.
exactly: Exact matching mode. This parameter is only available for the advanced
ACLs.
Description
Use the firewall packet-filter command to apply the access control list to the
corresponding interface.
Use the undo firewall packet-filter command to delete the corresponding
setting.
Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999)
can only use the parameter outbound.