![](http://pdfasset.owneriq.net/3/88/3884ec60-08cc-bac4-b176-2f6590d63c88/3884ec60-08cc-bac4-b176-2f6590d63c88-bg52e.png)
Security Configuration Command Set
Configuring Access Lists
14-166 Matrix NSA Series Configuration Guide
destination Specifies the network or host to which the packet will be
sent. Valid options for expressing destination are:
• IP address (A.B.C.D)
• any - Any destination host
• host source - IP address of a single destination host
destination-
wildcard
(Optional) Specifies the bits to ignore in the destination
address.
icmp-type (Optional) Filters ICMP frames by ICMP message type. The
type is a number from 0 to 255.
icmp-code (Optional) Further filters ICMP frames filtered by ICMP
message type by their ICMP message code. The code is a
number from 0 to 255.
operator port (Optional) Applies access rules to TCP or UDP source or
destination port numbers. Possible operands include:
• lt port - Match only packets with a lower port number.
• gt port - Match only packets with a greater port number.
• eq port - Match only packets on a given port number.
• neq port - Match only packets not on a given port
number.
• range min-sport max-sport - Match only packets in the
range of source ports
• range min-dport max-dport - Match only packets in the
range of destination ports.
tos-extensions (Optional) Applies access rules to the precedence and/or tos
fields, or to the DiffServ field. That is, you can specify one
or both precedence and tos fields, or you can specify the
DiffServ field. Use the following keyword/value pairs to
specify the tos-extensions:
• precedence value (0-7) - Match packets based on the IP
precedence value.
• tos value (0-15) - Match packets based on the IP Type of
Service value.
• dscp value (0-63) - Match packets based on the Diffserv
codepoint value.
established (Optional) Applies TCP restrictions to established
connections only.