3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

100

98 CHAPTER 7: FIREWALL CONFIGURATION

Setting the Default

Filtering Mode of

Firewall

To set the default filtering mode of firewall means when there is no appropriate

rule to judge whether the user packet can pass, the policy adopted by the firewall

is to permit the packet to pass or not.

Perform the following configuration in system view.

When firewall is enabled, the packets are denied.

Enabling Packet Filtering

Firewall Fragment

Detection Switch

Perform the following configuration in system view.

Only after fragment detection switch is enabled, can exact matching mode be

valid in the real sense.

Configuring

Upper/Lower Threshold

of Fragment Inspection

Perform the following configuration in system view.

The default number of upper threshold fragment state records is 2000. The

default number of lower threshold fragment state records is 1500.

Applying ACL on the

Interface

When applying access rule on the interface, the time range filtering principle is

followed at the same time. Moreover, access rule can be specified respectively for

transmitting and receiving packets on the interface.

Perform the following configuration in interface view.

Tabl e 85 Set the default filtering mode of firewall

Operation Command

Set the default filtering mode as permitting

the packet to pass

firewall packet-filter default permit

Set the default filtering mode as denying the

packet to pass

firewall packet-filter default deny

Tabl e 86 Enable fragment detection switch

Operation Command

Enable fragment detection switch firewall packet-filter fragments-inspect

Disable fragment detection switch

undo firewall packet-filter

fragments-inspect

Tabl e 87 Configure upper/lower threshold of fragment inspection

Operation Command

Specify number of upper/lower threshold

fragment state records

firewall packet-filter fragments-inspect {

high | low } { default | number }

Restore the default number of upper/lower

threshold fragment state records

undo firewall packet-filter

fragments-inspect { high | low }

Tabl e 88 Apply ACL on the interface

Operation Command

Specify the rule of filtering transmitting and

receiving packets in the interface

firewall packet-filter acl-number { inbound

| outbound } [ match-fragments { normally

| exactly } ]