3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

100

Configuring Packet Filter Firewall 99

You can only use the parameter outbound for interface-based ACL (ACL 1000 to

1999).

An advanced ACL can perform standard matching and exact matching. The

standard matching matches no information except those of the third layer;

whereas the exact matching matches information by all rules of advanced ACLs.

Therefore, a firewall must be able to get and keep the state information of the first

fragment packet to get complete matching information of the fragments that

followed.

If exact matching is used, make sure you disable the fast forwarding function by

using the undo ip fast-forwarding command on the corresponding interface.

The standard matching is used by default.

The match-fragments keyword can be applied to advanced ACLs only.

To apply MAC address-based ACLs to interfaces, you must set the firewall in

transparent mode. Otherwise, the system prompts the information "Please firstly

active the Transparent mode!". See

“Transparent Firewall” for more information

about Transparent Firewall.

Displaying and

Debugging Packet

Filtering Firewall

After the above configuration, execute display command in all views to display

the running of the packet filtering firewall configuration, and to verify the effect of

the configuration.

Execute debugging command in user view to debug the packet filtering firewall.

Remove the rule of filtering transmitting and

receiving packets in the interface

undo firewall packet-filter acl-number {

inbound | outbound }

Table 88 Apply ACL on the interface

Operation Command

Tab le 89 Display and debug firewall

Operation Command

Display statistics about firewall of

the interface

display firewall packet-filter statistics { all | interface

type number | fragments-inspect }

Display the fragments on the

firewall

display firewall fragment

Enable firewall packet filtering

debugging (in user view)

debugging firewall packet-filter { all | denied |

permitted | icmp | packet { permitted | denied } | tcp |

udp | fragments-inspect | others } [ interface type

number ]

Disable firewall packet filtering

debugging (in user view)

undo debugging firewall packet-filter { all | denied |

permitted | icmp | packet { permitted | denied } | tcp |

udp | fragments-inspect | others } [ interface type

number ]

Clear firewall packet filtering

statistics

reset firewall packet-filter statistics { all | interface

type number }