Manualshelf

3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
71727374757677787980
74 CHAPTER 5: ACL CONFIGURATION
sour-addr represents the source MAC address of a data frame in the format of
xxxx-xxxx-xxxx. sour-mask represents the wildcard of the source MAC address.
dest-addr represents the destination MAC address in the format of xxxx-xxxx-xxxx.
dest-mask represents the wildcard of the destination MAC address.
The following command can be used to delete a MAC-based ACL rule:
undo rule rule-id [ time-range time-name ] [ logging ]
The parameters are described as follows:
rule-id: ACL rule number, which must exist already.
ACL Supporting
Fragment
Traditional packet filtering does not process all IP packet fragments. Rather, it only
performs matching processing on the first fragment and releases all the follow-up
fragments. Thus, security dormant trouble exists, which makes attackers able to
construct follow-up segments to realize traffic attack.
Packet filtering of 3Com security gateway provides fragment filtering function,
including: performing Layer3 (IP Layer) matching and filtering on all fragments; at
the same time, providing two kinds of matching, normal matching and exact
matching, for ACL rule entries containing advanced information (such as TCP/UDP
port number and ICMP type). Normal matching is the matching of Layer3
information and it omits non-Layer3 information. Exact matching matches all ACL
entries, which requires firewall should record the state of first fragment so as to
obtain complete matching information of follow-up fragments. If exact matching
is used, make sure you disable the fast forwarding function by using the undo ip
fast-forwarding command on the corresponding interface. The default function
mode is normal matching.
The keyword fragment is used in the configuration entry of ACL rule to identify
that the ACL rule is only valid for non-first fragments. For non-fragments and first
fragment, this rule is omitted. In contrast, the configuration rule entry not
containing this keyword is valid for all packets.
For example:
[3Com-acl-basic-2000] rule deny source 202.101.1.0 0.0.0.255 fragment
[3Com-acl-basic-2000] rule permit source 202.101.2.0 0.0.0.255
[3Com-acl-adv-3001] rule permit ip destination 171.16.23.1 0 fragment
[3Com-acl-adv-3001] rule deny ip destination 171.16.23.2 0
In above rule entries, all entries are valid for non-first fragments. The first and the
third entries are omitted for non-fragments and first fragment, only valid for
non-first fragments.
Configuring an ACL ACL configuration includes:
Configure a basic ACL
Configure an advanced ACL
Configure an interface-based ACL
Configure a MAC-based ACL