Filter
Top Products
6-32 CHAPTER 6: MANUAL SETUP
■ VALUE - The value (hex) to compare to the packet contents.
For example, a generic bridge filter to prevent all IP packets from being bridged is:
BR-ETH:
1 reject generic=>origin=frame/offset=12/length=2/mask=0xFFFF/value=0x0800;
Applying the Rules
Using CLI
The following sections provide detailed information and examples for creating
specific filters based on protocol.
IP Source and Destination Network Filtering Using CLI
Source and destination address filtering is generally used to limit permitted access
to trusted hosts and networks only, to explicitly deny access to hosts and networks
that are not trusted, or to limit external access to a given host (for example, a web
server or a firewall).
Note that only the part of the IP address specified by the mask field is used in the
comparison. If a match is found, the packet is forwarded (rules containing accept)
or discarded (rules containing reject).
The following rule example allows forwarding of only IP packets with source
addresses that match the first 16 bits of the given IP address (addresses beginning
with 192.77):
IP:
1 ACCEPT src-addr = 192.77.200.203/16;
999 DENY;
The following rule example rejects IP packets with a source address: 144.133.20.1.
IP:
1 REJECT src-addr =144.133.20.1;
The following rule example allows forwarding of only IP packets with source
address 192.77.100.32 and destination address 201.128.11.34:
IP:
1 AND src-addr = 192.77.100.32;
2 ACCEPT dst-addr = 201.128.11.34;
999 DENY;
IP Source and Destination Port Filtering Using CLI
You can also filter against UDP and TCP ports. The following rule example rejects
IP packets with a TCP port number of 80.
IP:
1 REJECT tcp_dst_port = 80;
IP Protocol Filtering Using CLI
Filtering can be done on protocol as well. The protocols that can be filtered are
UDP, TCP and ICMP. The following rule example rejects TCP packets.