Allied Telesis AR300 series Network Router User Manual


 
16 Release Note
Software Release 2.3.1
C613-10325-00 REV B
additional rules can be added to allow or deny access based on IP addresses,
port numbers, day of the week, or time of day. Each rule for a specific interface
in a policy is processed in order, starting with the lowest numbered rule and
proceeding to the highest numbered rule, or until a match is found.
These rules, created with the ADD FIREWALL POLICY RULE command, are
based on IP address, port, protocol, date and time. In addition, the processing
of ICMP packets, IP packets with options set and ping packets can be enabled
or disabled on a per-policy basis using the ENABLE FIREWALL POLICY
command and the DISABLE FIREWALL POLICY command.
The ACTION parameter specifies what the firewall should do with traffic that
matches the selectors defined for this rule. If ALLOW is specified, the traffic
will be permitted to pass through the firewall. If DENY is specified, the traffic
will be prevented from passing through the firewall. If NONAT is specified,
any traffic that matches the rule will not have a NAT translation performed on
it, should a NAT relationship exist for the interfaces involved. If NAT is
specified, the NATTYPE parameter should be used to specify whether the NAT
rule performs DOUBLE, ENHANCED, REVERSE or STANDARD NAT
translation. The values NONAT and NAT implicitly allow traffic through the
firewall.
A rule specified with ACTION=NAT takes precedence over NAT relationships specified
by the ADD FIREWALL POLICY NAT command.
A rule specified with ACTION=NAT implicitly allows traffic that matches the
rule. Care should be taken when defining the rule so only the desired traffic will
be permitted through the firewall.
The GBLIP parameter specifies a single IP address that is matched to the
destination address of packets received on a public interface. The GBLIP
parameter also specifies the global IP address to be used as the public IP
address for private side devices if NAT is active on the interface, or if the value
specified for the ACTION parameter is NAT.
The GBLPORT parameter specifies the port number, service name, or range of
port numbers that apply to the rule if NAT is active on an interface.
The application of the GBLREMOTEIP parameter changes depending on the
type of interface it is applied to. If the INTERFACE parameter specifies a public
interface, it specifies a single IP address that is matched to the source IP
address of packets received on that interface. If the INTERFACE parameter
specifies a private interface, the GBLREMOTEIP parameter will be substituted
as the destination address for packets received on the interface. This parameter
should only be specified when the ACTION parameter is NAT and the
NATTYPE is REVERSE or DOUBLE.
The IP parameter specifies a single IP address or a range of IP addresses that
match the source address of packets received on a private interface. The IP
parameter also specifies the IP address to be used as the private IP address for
private side devices if NAT is active on the interface, or if the value specified
for the ACTION parameter is NAT.
The NATTYPE parameter may only be used when the value specified by the
ACTION parameter is NAT. It specifies whether the NAT rule performs
DOUBLE, ENHANCED, REVERSE or STANDARD NAT. DOUBLE NAT