[Top] [Prev] [Next] [Bottom]

Using IP Filters

This document describes IP profiles and static filters and how to set them up. It also provides information on entering filter commands. For information on dynamic filters, see Using Dynamic IP Filters. This document includes the following sections:

Introducing IP Filters

Entering IP Filtering Commands

Configuring IP Filters

IP Filter Commands

Introducing IP Filters

IP filters start by blocking all traffic. You then create a collection of filters to allow traffic based on your organization's security policy. You can allow access to specific internal network resources, and you can also allow internal clients to access services outside your corporate network.

Once you set up your filters, you can test and troubleshoot them using Event Logging System (ELS) messages. You can also set up filters to generate ELS messages.

Profile Overview

A profile implements a policy that controls access to your network. You can set up profiles to provide access to specific resources in a private network for a user or group of users. You can also set up profiles that let users inside your private network have access to public networks, while keeping your private network secure.

Once you set up a profile, you associate the profile with an interface. The interface consults the filters in its associated profiles on each incoming and outgoing packet.

Filter Overview

A profile contains a collection of filters. A filter includes pattern matchers that determine which packets the filter recognizes, as well as actions the filter takes when it recognizes a packet. A filter can pass, block, ignore the packet, or generate an ELS event.

Table 18 describes the pattern matching properties:

Table 18 Pattern Matchers

Property Description

Direction Sets the direction of the filter on the interface. You can filter inbound packets, outbound packets, or set up one filter to cover both inbound and outbound packets.

Packet Type Filters with the protocol set to TCP or ICMP can specify the packet type, which allows matching a specific type of packet, for example, a TCP Syn (connect request).

Protocol Allows matching a specific protocol.

Source and Destination Address Matches IP addresses and masks. You can

Add multiple source and destination addresses, making it possible, for example, to create a single filter to pass packets destined for HostA, HostC, and HostX.

Add a range of source or destination addresses, allowing you to create a filter for a subnet or for a group of hosts within a range of addresses.

Source and Destination Port Filters with the protocol set to TCP or UDP can include source and destination ports. You can

Add multiple source and destination ports. For example, you can create a single filter that passes FTP, Telnet, and HTTP traffic. Combined with the list of addresses, you can create a filter that passes FTP, Telnet, and HTTP to HostA, HostC, or HostX.

Table 18 Pattern Matchers
Property	Description
Direction	Sets the direction of the filter on the interface. You can filter inbound packets, outbound packets, or set up one filter to cover both inbound and outbound packets.
Packet Type	Filters with the protocol set to TCP or ICMP can specify the packet type, which allows matching a specific type of packet, for example, a TCP Syn (connect request).
Protocol	Allows matching a specific protocol.
Source and Destination Address	Matches IP addresses and masks. You can Add multiple source and destination addresses, making it possible, for example, to create a single filter to pass packets destined for HostA, HostC, and HostX. Add a range of source or destination addresses, allowing you to create a filter for a subnet or for a group of hosts within a range of addresses.
Source and Destination Port	Filters with the protocol set to TCP or UDP can include source and destination ports. You can Add multiple source and destination ports. For example, you can create a single filter that passes FTP, Telnet, and HTTP traffic. Combined with the list of addresses, you can create a filter that passes FTP, Telnet, and HTTP to HostA, HostC, or HostX.

Entering IP Filtering Commands

IP Filtering Prompts

IP filtering commands are available at the IP Filters Config> prompt and the IP Filters> prompt. This section explains the differences between these two prompts.

At the IP Filters Config> prompt, changes that you make to the filter configuration are saved in the router's configuration memory. These changes do not take effect until you restart the router.

Display the IP Filters Config> prompt as follows:

*config

Config>protocol ip
Internet protocol user configuration

IP config>filters

IP Filters Config>

At the IP Filters> prompt, changes that you make to the filter configuration take effect immediately. Unless you explicitly save your changes using the save command, they are not saved when you restart the router.

Display the IP Filters> prompt as follows:

*monitor

Monitor>protocol ip

IP>filters

IP Filters>

Entering Profile and Filter Names

Use the following rules as you enter profile and filter names:

Names are case sensitive. Try to establish a standard for capitalization of names to simplify configuration.
Names that you enter without double quotation marks can consist of any printable character except a hyphen, space, tab, period, question mark, asterisk, comma, or double quotation marks.
Names that you enclose in double quotation marks can include any printable character except a tab, question mark, or double quotation marks.
Specify names by entering the profile name followed by the filter name. When you enter a filter name, you must first specify the profile name. Separate the names using a period. For example:
```
IP Filter Config>add filter Firewall.Client
```
In this example, Firewall is the profile name, Client is the filter name.

Configuring IP Filters

This section shows the basic steps to create an IP filter. For more information on each command, see IP Filter Commands.

1. Display either the IP Filters Config> prompt or the IP Filters> prompt as described IP Filtering Prompts. This example uses the IP Filters Config> prompt.

2. Create a profile.

IP Filters Config>add profile firewall

3. Attach the profile to an interface.

IP Filters Config>set interface 1 profile=firewall

Note: Attaching empty profiles to an interface blocks all activity until you add filters that allow specific traffic.

4. To reduce keystrokes, use the scope command. This command causes all subsequent commands to apply to the profile on which you are working.

IP Filters Config>scope firewall
IP Filters Config firewall>

5. Add a filter to the profile and set properties.

IP Filters Config firewall>add filter webout dir=out source=128.185.0.2

6. While you are building a filter, you can list it to see its current properties.

IP Filters Config firewall>list filter webout
Listing Filters
Name             Dir  Address            Port          Protocol  Action
-----------------------------------------------------------------------
webout           Out  sa=128.185.0.2                     Any       Pass

7. Using the set filter command, you can change or add to a filter's properties, as needed.

IP Filters Config firewall>set filter webout sport=HTTP
IP Filters Config firewall>list filter webout
Listing Filters
Name               Dir  Address          Port          Protocol  Action
-----------------------------------------------------------------------
webout             Out  sa=128.185.0.2    sp=HTTP(80)   TCP        Pass

8. If you scoped a profile or filter, use unscope to return to the IP filtering prompt.

IP Filters Config firewall>unscope
IP Filters Config>

9. If you set up the filters at the configuration prompt, restart the router for your configuration to take effect.

IP Filters Config>exit
IP config>exit
Config> CTRL P
*restart

If you set up the filters at the monitoring prompt, the filters take effect immediately. Use the save command to make the changes permanent.

IP Filters>save

IP Filter Commands

Table 19 describes the filter commands. See Entering IP Filtering Commands for instructions on entering profile and filter names.

Press SPACE twice after you type a command to display the available options for each command.

[C] means the command is available at the IP Filters Config> prompt.

[M] means the command is available at the IP Filters> prompt.

Table 19 IP Filter Commands

Command Function

Add Filter [C] [M] Creates a new filter.

Add Profile [C] [M] Creates a new profile.

Delete Filter [C] [M] Removes the specified filter from the configuration.

Delete Profile [C] [M] Removes the specified profile from the configuration.

List Attached [C] [M] Displays the profiles that are attached to each interface or to a specific interface.

List Filter [C] [M] Displays filters and their properties. You can display all filters or all filters in a specific profile.

List Interface [C] [M] Displays the profiles that are attached to each interface followed by a list of filters attached to each interface. Also displays profiles and filters attached to a specific interface.

List Profile [C] [M] Displays a list of profiles.

Rename Filter [C] [M] Changes the name of a filter.

Rename Profile [C] [M] Changes the name of a profile.

Revert [M] Restores current configuration from permanent memory.

Save [M] Saves current (running) configuration to permanent memory.

Scope [C] [M] Applies subsequent commands to the specified profile, eliminating the need to retype the profile name when you are working on a filter.

Set Filter [C] [M] Changes or adds to the parameters of a filter. Uses the same options as add filter.

Set Interface [C] [M] Attaches profiles to an interface or detaches profiles from an interface.

Unscope [C] [M] Reverts the scope to the IP filtering prompt.

Exit [C] [M] Returns to the previous prompt.

Table 19 IP Filter Commands
Command	Function
Add Filter [C] [M]	Creates a new filter.
Add Profile [C] [M]	Creates a new profile.
Delete Filter [C] [M]	Removes the specified filter from the configuration.
Delete Profile [C] [M]	Removes the specified profile from the configuration.
List Attached [C] [M]	Displays the profiles that are attached to each interface or to a specific interface.
List Filter [C] [M]	Displays filters and their properties. You can display all filters or all filters in a specific profile.
List Interface [C] [M]	Displays the profiles that are attached to each interface followed by a list of filters attached to each interface. Also displays profiles and filters attached to a specific interface.
List Profile [C] [M]	Displays a list of profiles.
Rename Filter [C] [M]	Changes the name of a filter.
Rename Profile [C] [M]	Changes the name of a profile.
Revert [M]	Restores current configuration from permanent memory.
Save [M]	Saves current (running) configuration to permanent memory.
Scope [C] [M]	Applies subsequent commands to the specified profile, eliminating the need to retype the profile name when you are working on a filter.
Set Filter [C] [M]	Changes or adds to the parameters of a filter. Uses the same options as add filter.
Set Interface [C] [M]	Attaches profiles to an interface or detaches profiles from an interface.
Unscope [C] [M]	Reverts the scope to the IP filtering prompt.
Exit [C] [M]	Returns to the previous prompt.

Add Filter [C] [M]

Creates a new filter and lets you assign properties to the filter. You can change or add to these properties later using the set filter command. The add filter and set filter commands use the same options.

You can add one or more filters to a profile. See Entering Profile and Filter Names for instructions on entering profile and filter names.

Add filters by entering the profile name followed by the name of the new filter. Use periods to separate the profile and filter names. You can also use the scope command to add filters without retyping the profile name.

Syntax: add filter profilename.filtername

Example: add filter External.client

Example: add filter tftp.out

Use the following filter options with either the add filter command or the set filter command. You can enter the options in almost any order, with some exceptions. For example, you cannot specify the packet type until the software identifies the protocol. These requirements are noted where relevant. Several options that apply specifically to the Diffserv feature are isdscp, dscp, isprec, and prec, which are described in Using TOS/DiffServe Quality of Service (QOS) Policies.

action

Defines the action that the filter takes when it recognizes a packet. The default is pass.

Syntax: action=pass
block
ignore

Entry	Description
pass	Forwards the packet and does not compare the packet to any other filters.
block	Drops the packet and does not compare the packet to any other filters.
ignore	Does not make a decision about passing or blocking the packet. The software continues to compare the packet to other filters in the profile. This option is useful for filters that generate ELS messages.

Example: add filter tftp.client action=block Entry Description pass Forwards the packet and does not compare the packet to any other filters. block Drops the packet and does not compare the packet to any other filters. ignore Does not make a decision about passing or blocking the packet. The software continues to compare the packet to other filters in the profile. This option is useful for filters that generate ELS messages.

after

Specifies the position of the filter within the profile. You can place the filter after a specific filter in the list or at the end of the list.

As the default, the software adds new filters to the end of the list.

Syntax: after=filtername
*

Entry Description

filtername Places the filter after this filter.

* Places the filter at the end of the list.

Entry	Description
filtername	Places the filter after this filter.
*	Places the filter at the end of the list.

The following example results in the list client1, client4, client3, client2:

Example: add profile external scope external add filter client1 add filter client2 add filter client3 add filter client4 after=client1 set filter client2 after=* list filter

Listing Filters
Name                Dir  Address            Port          Protocol   Action
---------------------------------------------------------------------------
client1             In                                    Any        Pass
client4             In                                    Any        Pass
client3             In                                    Any        Pass
client2             In                                    Any        Pass

before

Specifies the position of the filter within the profile. You can place the filter before a specific filter in the list or at the beginning of the list.

As the default, the software adds new filters to the end of the list.

before=filtername

Entry Description

filtername Places the filter before this filter.

* Places the filter at the beginning of the list.

Entry	Description
filtername	Places the filter before this filter.
*	Places the filter at the beginning of the list.

The following example results in the list client4, client1, client3, client2:

Example: add profile firewall scope firewall add filter client1 add filter client2 add filter client3 add filter client4 before=* set filter client3 before=client2 list filter

Listing Filters
Name                Dir  Address            Port          Protocol   Action
---------------------------------------------------------------------------
client4             In                                    Any        Pass
client1             In                                    Any        Pass
client3             In                                    Any        Pass
client2             In                                    Any        Pass

destination or da or dst

Replaces, adds, or removes one or more destination addresses.

You can specify one address, a range of addresses, or a list of addresses. If you do not specify a mask, the software uses a default mask.

You can configure a single filter to screen packets sent to multiple destinations. For example, you can set up a filter to pass packets destined for HostA, HostC, and HostX.

Enter . . . To . . .

destination= Replace existing destination addresses.

destination+= Add one or more destination addresses.

destination-= Remove one or more destination addresses.

Enter . . .	To . . .
destination=	Replace existing destination addresses.
destination+=	Add one or more destination addresses.
destination-=	Remove one or more destination addresses.

Syntax: destination= ipaddress
ipaddress&mask
ipaddress-ipaddress
ipaddress-ipaddress&mask
list

Entry Description

ipaddress One address with a default mask of 255.255.255.255.

ipaddress&mask One address and a mask.

ipaddress-ipaddress A range of addresses with a default mask of 255.255.255.255.

ipaddress-ipaddress&mask A range of addresses and a mask.

list Any of the above in a comma-separated list. For example:
128.185.50.0,128.185.55.0,128.185.27.2

Entry	Description
ipaddress	One address with a default mask of 255.255.255.255.
ipaddress&mask	One address and a mask.
ipaddress-ipaddress	A range of addresses with a default mask of 255.255.255.255.
ipaddress-ipaddress&mask	A range of addresses and a mask.
list	Any of the above in a comma-separated list. For example: 128.185.50.0,128.185.55.0,128.185.27.2

Example: add filter External_Client.out dest=128.185.22.0- 128.185.25.0&255.255.255.0

direction or dir

Specifies the direction of the traffic to which the filter applies. The default is in.

When you have complementary filters, you can set up one filter that applies to both incoming and outgoing packets. Two filters are complementary if they are identical except that one is for inbound packets and one is for outbound packets and that source and destination addresses and ports, if any, of the inbound filter are the same, but reversed, in the outbound filter.

Keep the following in mind when you create a filter to work in both directions:

When you add properties that relate to a packet's direction, such as source and destination addresses or ports or certain ICMP packet types, enter the information as it relates to inbound packets.
When the software applies the filter to outgoing packets, it switches the source and destination information before it applies the filter.
When you create a filter that handles ICMP echo request and echo reply packet types, the software assumes that you want the opposite packet type in the outbound direction. This is unique to ICMP packet types.

For example, the following filter allows ICMP echo replies in to network 162.1.0.0 and echo requests out from network 162.1.0.0. This means that users on network 162.1.0.0 can run Ping from network 162.1.0.0 to addresses outside a firewall, but users outside the firewall cannot run Ping in to network 162.1.0.0.

IP Filters Config>add filter allow.ping dir=both source=162.1.0.0&255.0.0.0 protocol=icmp ptype=echo reply

When the software compares this filter to outgoing packets, it looks for a destination address of 162.1.0.0&255.0.0.0 and a packet type of echo request.

Syntax: direction= in
out
both

Entry Description

in Inbound traffic.

out Outbound traffic.

both Both inbound and outbound traffic.

Entry	Description
in	Inbound traffic.
out	Outbound traffic.
both	Both inbound and outbound traffic.

Example: add filter Internal.Response direction=in

dport or dp

Replaces, adds, or deletes one or more destination ports for the filter to recognize. You can set ports only for TCP and UDP protocols. You cannot mix TCP and UDP ports in the same filter.

To specify a port, enter the port name or port number. The software recognizes certain well-known ports that you can enter by their name. Enter dport= ? to see a list of well-known port names.

If you enter a

Port number, you must first set the protocol to TCP or UDP.
Well-known port name, the software automatically sets the protocol correctly. However, if you enter a well-known port name that can apply to either TCP or UDP, such as DNS, ECHO, or NTP, you must first set the protocol to TCP or UDP.

Note: The following examples of entering destination ports are correct because the software recognizes HTTP as a TCP port and immediately sets the protocol to TCP.
```
   dport=http,dns
   dport=http,20-21
```


Enter . . .	To . . .
dport=	Replace existing destination ports.
dport+=	Add one or more destination ports.
dport-=	Remove one or more destination ports.

Syntax: dport=name
number
number-number
list
transient

Entry Description

name The name of a well-known port.

number One port number.

number-number A range of port numbers.

list A list of port names, numbers, or ranges of port numbers in a comma-separated list.

transient A port number that is temporarily assigned to a client application. Some protocols, such as FTP and TFTP, use transient ports to establish connections between servers.

Entry	Description
name	The name of a well-known port.
number	One port number.
number-number	A range of port numbers.
list	A list of port names, numbers, or ranges of port numbers in a comma-separated list.
transient	A port number that is temporarily assigned to a client application. Some protocols, such as FTP and TFTP, use transient ports to establish connections between servers.

The following examples show how to enter destination ports using well-known port names or numbers. All examples have the same result. Remember, if you enter only port numbers, you need to identify the protocol first.

Example: add filter internal.client dport=ftp,telnet,smtp

Example: add filter internal.client dport=ftp,23,25

Example: add filter internal.client protocol=tcp dport=20-21,23,25

elsevent or els

Causes the filter to generate an ELS event when it recognizes a packet. Use this option to log specific network activity and to test filters to see if they are working as you expected. You can customize ten ELS event types (1-10) for IP filters. You can assign an ELS event number to more than one filter.

The elstext option, described below, lets you add text that appears with the ELS message.

Syntax: elsevent= 1 through 10
on
off

Entry Description

1 through 10 Assigns a number to the ELS event. When you display these events, they correspond to ELS messages FLT.11 through FLT.20. You can assign an ELS event number to more than one filter.

on Turns on the custom ELS events for this filter.

off Turns off the custom ELS events for this filter. Setting elsevent to 0 also turns off the custom ELS events.

Entry	Description
1 through 10	Assigns a number to the ELS event. When you display these events, they correspond to ELS messages FLT.11 through FLT.20. You can assign an ELS event number to more than one filter.
on	Turns on the custom ELS events for this filter.
off	Turns off the custom ELS events for this filter. Setting elsevent to 0 also turns off the custom ELS events.

Example: add filter external.in elsevent=8

elstext

When you set up a filter to generate an ELS message, you can include text to describe the event.

You can use the following variables in the text. When the software generates an ELS message, it substitutes the variable with the actual information. Additional variables that support the Diffserv feature are described in New and Modified IP Filter Commands.

%a
Source Address

%A
Destination Address

%p
Source Port

%P
Destination Port

%d
Direction

%r
Protocol

%t
Packet Type

%a	Source Address
%A	Destination Address
%p	Source Port
%P	Destination Port
%d	Direction
%r	Protocol
%t	Packet Type

Be sure to put double quotation marks around the text.

Syntax: elstext="text"

Example: add filter external.in elsevent=8 elstext= "packet from %a going to %A blocked"

When this filter recognizes a packet, it generates a message similar to this:

FLT.018 IPDF-8 packet from 128.185.22.2 going to 162.1.1.8 blocked

istag

Sets the filter to detect packets that the filter software tagged. See tag. You can enter a tag number between 0 (zero) and 64.

Syntax: tag=number

Example: add filter External.Client tag=12

protocol

Sets the filter to recognize certain protocols.

The software recognizes certain well-known protocols that you can enter by name. Enter protocol=? to see a list of well-known protocol names. You can also enter a protocol number or any, to recognize all protocols. You cannot enter a range of numbers or a list of comma-separated names or numbers.

If a filter has any source or destination ports defined, you cannot change the protocol.

Syntax: protocol=name
number
any

Entry Description

name The name of a well-known protocol.

number A protocol number.

any Any protocol.

Entry	Description
name	The name of a well-known protocol.
number	A protocol number.
any	Any protocol.

Example: add filter firewall.ftpclient protocol=tcp

ptype or pt

For TCP or ICMP protocols, specifies the type of packet for the filter to recognize. The software must identify the protocol before you set the packet type. You cannot set a packet type if you set the protocol to any.

To see a list of packet types available for the protocol specified in a filter, enter ptype=?. For example, enter the following to see TCP packet types:

IP Filters Config>add filter webaccess protocol=tcp ptype= ?
 Matches the packet type.
The choices/prefixes are (a complete list):
 Any
 DAT
 ACK
 ACK*
 FIN
 FIN+ACK
 PSH+ACK
 RST
 SYN
 SYN+ACK

Note: The packet type ACK* recognizes an acknowledgment packet plus any other type of TCP packet.

To see ICMP packet types, enter the following:

IP Filters Config>add filter allow.ping protocol=icmp ptype= ?
 Matches the packet type.
The choices/prefixes are (a complete list):
 Any
 Addr Mask Request
 Addr Mask Reply
 Dest Unreachable
 Echo Request
 Echo Reply
 Parameter Problem
 Ping
 Redirect
 Source Quench
 Time Exceeded
 Timestamp Request
 Timestamp Reply

Note: Ping is a special packet type that recognizes both Echo Request and Echo Reply packets.

Syntax: ptype=packettype
any


Entry	Description
packettype	A specific packet type.
any	Any packet type.

Example: add filter internal.user protocol=icmp ptype=ping

source or src or sa

Replaces, adds, or removes one or more source addresses. You can specify one address, a range of addresses, or a list of addresses. Each address includes either a default mask or a user-specified mask.


Enter . . .	To . . .
source=	Replace existing source addresses.
source+=	Add one or more source addresses.
source-=	Remove one or more source addresses.

See the destination option for more information on how to enter addresses.

Syntax: source= ipaddress
ipaddress&mask
ipaddress-ipaddress
ipaddress-ipaddress&mask
list

Example: add filter External_Client.in source=128.185.22.0- 128.185.25.0&255.255.255.0

sport or sp

Replaces, adds, or removes one or more source ports for the filter to recognize. See the dport option for information on entering ports.


Enter . . .	To . . .
sport=	Replace existing source ports.
sport+=	Add one or more source ports.
sport-=	Remove one or more source ports.

Syntax: sport= name
number
number-number
list
transient

Example: add filter External.Client sport=FTP_Control

tag

Tags packets that match this filter. You can set up filters that tag certain types of packets and then prioritize the packets in the Bandwidth Reservation System (BRS) or route them using policy routing based on these tags. During times when traffic exceeds network capacity, the router sends the highest priority packets first. Tagging and prioritizing packets gives you control over which packets the router is most likely to transmit when there are requests for more than 100% of the networks bandwidth.

You can also have a filter that tags certain types of packets and then have filters that look for packets that have a specific tag. To do so, use the istag option.

You can assign tag numbers from 0 (zero) to 64. If you set tag=0, the router does not tag packets that match this filter.

Syntax: tag=number

Example: add filter External.Client tag=12

Add Profile [C] [M]

Creates a new profile. After you add a profile, add filters to the profile using the add filter command.

See Entering Profile and Filter Names for instructions on entering profile names.

Syntax: add profile profilename

Example: add profile webaccess

Delete Filter [C] [M]

Deletes a filter and automatically uninstalls it.

Syntax: delete filter profilename.filtername

Example: delete filter Inbound.user1

Delete Profile [C] [M]

Deletes and automatically uninstalls the profile and any filters in the profile.

Syntax: delete profile profilename

Example: delete profile Client_In

List Attached [C] [M]

Displays a list of the profiles that are attached to an interface. You can also list the profiles that are attached to a specific interface by including the interface number.

Syntax: list attached

Example: list attached

Listing Interface Information

Interface   Attached Profiles
--------------------------------
1           firewall1
2           firewall2

Example: list attached 2

Listing Interface Information

Interface   Attached Profiles
--------------------------------
2           firewall2

List Filter [C] [M]

Displays all filters, a specific filter, or all filters in a profile.

If the direction of a filter is both, this command displays an "i" next to properties that relate to a packet's direction to show that the displayed information is for inbound packets.

Syntax: list filter

Example: list filter

Listing Filters
Name                 Dir  Address          Port          Protocol    Action
---------------------------------------------------------------------------
firewall.webaccess   Both  ida=1.1.1.1     idp=HTTP(80)  TCP         Pass
allow.ftp            In    da=10.50.1.8    sp=FTP_DATA(20)           Pass
                                           dp=FTP_CONTROL(21)
                                                         TCP

Example: list filter firewall

Listing Filters
Name                 Dir  Address            Port          Protocol  Action
---------------------------------------------------------------------------
webaccess            Both  ida=1.1.1.1       idp=HTTP(80)  TCP       Pass
icout                Out                     sp=transient  TCP       Pass

Example: list filter firewall.webaccess

Listing Filters
Name                 Dir  Address           Port          Protocol   Action
---------------------------------------------------------------------------
webaccess            Both  isa=1.1.1.1      isp=HTTP(80)  TCP        Pass

List Interface [C] [M]

Displays a list of the profiles that are attached to each interface, followed by the filters that are attached to each interface. You can also list the profiles and filters that are attached to a specific interface by including the interface number.

Syntax: list interface

Example: list interface

Listing Interface Information
Interface   Attached Profiles
--------------------------------
1           firewall1
2           firewall2

Listing Filters Attached to Interface 1

Name                 Dir  Address            Port          Protocol  Action
---------------------------------------------------------------------------
firewall1.webin      In   da=1.1.1.1         dp=HTTP(80)   TCP       Pass
firewall1.webout     Out  sa=1.1.1.1         sp=HTTP(80)   TCP       Pass


Listing Filters Attached to Interface 2

Name                 Dir  Address            Port          Protocol  Action
---------------------------------------------------------------------------
firewall2.icout      Out                     sp=transient  TCP       Pass
firewall2.icresp     In  sa=destination      sp=dport      TCP       Pass
                         da=source           dp=sport

Example: list interface 2

Listing Interface Information
Interface   Attached Profiles
--------------------------------
2           firewall2
Listing Filters Attached to Interface 2

Name                 Dir  Address            Port          Protocol  Action
---------------------------------------------------------------------------
firewall2.icout      Out                     sp=transient  TCP       Pass
firewall2.icresp     In   sa=destination     sp=dport      TCP       Pass
                          da=source          dp=sport

List Profile [C] [M]

Displays a list of profiles.

Syntax: list profile

Example: list profile

Listing Profiles
  Firewall
  NoSpoof
  InternalClient

Rename Filter [C] [M]

Changes the name of a filter.

Syntax: rename filter oldname newname

Example: rename filter Firewall.Client_In Client_Out

Rename Profile [C] [M]

Changes the name of a profile.

Syntax: rename profile oldname newname

Example: rename profile Client_In Client_Out

Revert [M]

If you make configuration changes at the IP Filter> prompt, this command restores the saved configuration.

Syntax: revert

Example: revert

Save [M]

Saves changes you make at the IP Filter> prompt to permanent memory so they are still present after you restart the router.

Syntax: save

Example: save

Scope [C] [M]

Reduces keystrokes when you are working on filters. The scope command causes subsequent commands to apply to the profile on which you are working.

Normally, when you are working on a filter, you have to type the complete name of each filter, beginning with the profile name. The scope command keeps you from having to retype the profile name.

Note the repetitious typing in the following example:

IP Filters Config>add filter firewall.tftpc
IP Filters Config>set filter firewall.tftpc dir=in dest=10.2.50.8
IP Filters Config>set filter firewall.tftpc protocol=tcp dport=ftp

Using the example above, scope the profile firewall and enter commands that apply to that profile. Enter unscope to stop applying commands to the profile. Note that when a scope is active, its name appears in the command prompt.

IP Filters Config>scope firewall
IP Filters Config firewall>add filter tftpc
IP Filters Config firewall>set filter tftpc dir=in dest=10.2.50.8 
IP Filters Config firewall>set filter tftpc protocol=tcp dport=ftp
IP Filters Config firewall>unscope
IP Filters Config>

Syntax: scope profilename

Example: scope firewall

IP Filters Config firewall>

Set Filter [C] [M]

Sets or modifies parameters of a filter that you previously created. See the add filter command for available options.

You can assign parameters in separate set filter entries. Use the scope command to apply each command to the profile without repeatedly entering the profile name.

Syntax: set filter profilename.filtername option(s)

Example: set filter tftp.client dir=in protocol=udp sport=tftp

Set Interface [C] [M]

Attaches one or more profiles to an interface. You can also remove a profile from an interface.


Enter . . .	To . . .
profile=	Replace profiles that are already attached to the interface.
profile+=	Attach additional profile or list of profiles to the interface. The new profile names go to the end of the list.
profile-=	Detach profiles or list of profiles from an interface. The remaining profile names remain where they are, and the list closes up the empty spaces.

Syntax: set interface interface# profiles=profilenames

Example: set interface 2 profiles=a,b,c,d

This example attaches profiles a, b, c, and d to interface 2.

Example: set interface 2 profiles+=a,x,c

This example adds profiles a, x, and c to the end of the list of profiles attached to this interface. It replaces old entries that are duplicates of the new entries. The previous list a,b,c,d now becomes list b,d,a,x,c.

Example: set interface 2 profiles-=c,a

This example removes profiles c and a, and results in the list b,d,x.

Unscope [C] [M]

Returns the command line to the IP filtering prompt. See the scope command for more information.

Syntax: unscope

Example: IP Filter Config firewall>unscope

               IP Filter Config>

Exit [C] [M]

Returns to the IP> or IP Config> prompt.

Syntax: exit

Example: exit

[Top] [Prev] [Next] [Bottom]