3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
ASPF Configuration Commands 305
Packet-filtering on Comware platform can filter fragment packets, which matches
and filters all fragment packets on the third layer (IP layer) by source IP address,
destination IP address etc. It also provides standard matching and exact matching
for advanced ACL rules that contain extended information such as TCP/UDP port
number and type of ICMP. The standard matching matches information of the
third layer, Information that is not of the third layer will be ignored. The exact
matching matches packets according to all advanced ACL rules. To do this, the
firewall must be able to store the state of the first fragment packet to get the
whole matching information of the followed fragments. If exact matching is used,
make sure you disable the fast forwarding function by using the undo ip
fast-forwarding command on the corresponding interface.
The standard matching is the default.
Related command: acl, display acl and firewall packet-filter
fragments-inspect.
Example
# Apply ACL 3001 to the GigabitEthernet0/0.2 interface to filter the packets sent
on the interface.
[SecBlade_FW-GigabitEthernet0/0.2] firewall packet-filter 3001 outbound
reset firewall
packet-filter statistics
Syntax
reset firewall packet-filter statistics { all | interface type number }
View
User view
Parameter
all: Clears the filtering packet statistics of all the interfaces.
interface: Clears the filtering packet statistics of a certain interface.
type number: Specifies an interface by its type and number.
Description
Use the reset firewall packet-filter statistics command to clear the firewall
statistics.
Example
# Clear filtering packet statistics of the interface GigabitEthernet0/0.2.
< SecBlade_FW > reset firewall packet-filter statistics interface
GigabitEthernet0/0.2
ASPF Configuration
Commands
aging-time Syntax
aging-time { syn | fin | tcp | udp } seconds