Allied-Telesis AT-iMG624A Router Manual PDF (Setup & Configuration Guide)

Page 426 / 998 Scroll up to view Page 421 - 425

Firewall

Firewall command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-124

Status : enabled

Permitted? : true

See also

FIREWALL LIST POLICIES

FIREWALL LIST PORTFILTERS

4.3.2.0.18 FIREWALL ADD VALIDATOR

Syntax

FIREWALL ADD VALIDATOR <name> <policyname> {INBOUND|OUT-

BOUND|BOTH} <ipaddress> <hostipmask>

Description

This command adds a validator to a firewall policy. Traffic is blocked based on the source/

destination IP address and netmask. This command allows you to specify:

•

the IP address(es) and netmask(s) that you want to block

•

the direction of traffic that you want to block

Once you have added a validator to a policy, specifying the IP address and direction val-

ues, you can reuse these values by adding the validator to other policies.

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Option

Description

Default Value

name

An arbitrary name that identifies the portfilter. It can be

made up of one or more letters or a combination of let-

ters and digits, but it cannot start with a digit.

N/A

policyname

An existing firewall policy. To display policy names, use the

FIREWALL LIST POLICIES command.

N/A

inbound

Validator blocks incoming traffic based on IP addresses.

N/A

outbound

Validator blocks outgoing traffic based on IP addresses.

N/A

both

Validator filters inbound and outbound traffic based on IP

addresses.

N/A

ipaddress

The IP address that you want to carry out IP address vali-

dation on. The IP address is displayed in the following for-

mat: 192.168.102.3

N/A

hostipmask

The IP mask address. If you want to filter a range of

addresses, you can specify the mask, e.g., 255.255.255.0. If

you want to filter a single IP address, you can use the spe-

cific IP mask address, e.g., 255.255.255.255.

N/A

Page 427 / 998

Firewall command reference

Firewall

4-125

iMG/RG Software Reference Manual (IPNetwork Functions)

Example

In the following example, a policy is created, then a validator added to block inbound and

outbound traffic from/to the IP address stated. All other traffic is allowed.

--> firewall add policy ext-int external-internal blockonly-val

--> firewall add validator v1 ext-int both 192.168.102.3 255.255.255.255

See also

firewall add policy

firewall list policies

firewall delete validator

firewall show validator

4.3.2.0.19 FIREWALL DELETE VALIDATOR

Syntax

FIREWALL DELETE VALIDATOR <name> <policyname>

Description

This command deletes a single validator from a named policy.

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> firewall delete validator v1 ext-int

See also

FIREWALL LIST VALIDATORS

FIREWALL LIST POLICIES

4.3.2.0.20 FIREWALL LIST VALIDATORS

Syntax

FIREWALL LIST VALIDATORS <policyname>

Description

This command lists the following information about validators added to a policy using the

FIREWALL ADD VALIDATOR command:

•

Validator ID number

•

Validator name

•

Direction (inbound, outbound or both)

•

Host IP address

Option

Description

Default Value

name

An existing validator. To display validator names, use the

FIREWALL LIST VALIDATORS command.

N/A

policyname

An existing firewall policy. To display policy names, use the

FIREWALL LIST POLICIES command.

N/A

Page 428 / 998

Firewall

Firewall command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-126

•

Host mask address

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> firewall list validators ext-int

Firewall Host Validators:

ID |

Name

| Direction |

Host IP

|

Mask

-------------------------------------------------------------

1 |

v1

| both

| 192.168.103.2

| 255.255.255.0

2 |

v2

| inbound

| 192.168.103.1

| 255.255.255.0

-------------------------------------------------------------

See also

FIREWALL ADD VALIDATOR

FIREWALL SHOW VALIDATOR

FIREWALL LIST POLICIES

4.3.2.0.21 FIREWALL SHOW VALIDATOR

Syntax

FIREWALL SHOW VALIDATOR <name> <policyname>

Description

This command displays information about a single validator that was added to firewall

policy using the FIREWALL ADD VALIDATOR command. The following validator infor-

mation is displayed:

•

Validator name

•

Direction (inbound, outbound or both)

•

Host IP address

•

Host mask address

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Option

Description

Default Value

policyname

An existing firewall policy. To display policy names, use the

FIREWALL LIST POLICIES command.

N/A

Option

Description

Default Value

name

An existing validator. To display validator names, use the

FIREWALL LIST VALIDATORS command.

N/A

Page 429 / 998

Firewall command reference

Firewall

4-127

iMG/RG Software Reference Manual (IPNetwork Functions)

Example

--> firewall show validator v1 ext-int

Firewall Host Validator: v1

Direction: both

Host IP: 192.168.103.2

Host Mask: 255.255.255.0

See also

FIREWALL ADD VALIDATOR

FIREWALL LIST VALIDATORS

FIREWALL LIST POLICIES

4.3.2.0.22 FIREWALL SET IDS VICTIMPROTECTION

Syntax

firewall set IDS victimprotection <duration>

Description

This command sets the duration of the victim protection Intrusion Detection Setting

(IDS). If victim protection is enabled, packets destined for the victim host of a spoofing

style attack are blocked. The command allows you to specify the duration of the block

time limit.

Note:

This command is nothing but an alias of the corresponding “security set IDS” command

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> firewall set IDS victimprotection 800

See also

security set ids victimprotection

4.3.2.0.23 FIREWALL SET IDS DOSATTACKBLOCK

Syntax

firewall set IDS DOSATTACKBLOCK <DURATION>

policyname

An existing firewall policy. To display policy names, use the

FIREWALL LIST POLICIES command.

N/A

Option

Description

Default Value

duration

The length of time (in seconds) that packets destined for

the victim of a spoofing style attack. are blocked for.

600

(10 minutes)

Option

Description

Default Value

Page 430 / 998

Firewall

Firewall command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-128

Description

This command sets the DOS (Denial of Service) attack block duration Intrusion Detec-

tion Setting (IDS). A DOS attack is an attempt by an attacker to prevent legitimate users

from using a service. If a DOS attack is detected, all suspicious hosts are blocked for a

set time limit. This command allows you to specify the duration of the block time limit.

Note:

This command is nothing but an alias of the corresponding “security set IDS” command

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> firewall set IDS DOSattackblock 800

See also

security set IdS Dosattackblock

4.3.2.0.24 FIREWALL SET IDS MAXICMP

Syntax

FIREWALL SET IDS MAXICMP <MAX>

Description

This command sets the maximum number of ICMP packets per second that are allowed

before an ICMP Flood is detected. An ICMP Flood is a DOS (Denial of Service) attack.

An attacker tries to flood the network with ICMP packets in order to prevent transpor-

tation of legitimate network traffic. Once the maximum number of ICMP packets per

second is reached, an attempted ICMP Flood is detected.

Note:

This command is nothing but an alias of the corresponding “security set IDS” command

Options

The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example

--> firewall set IDS MaxICMP 200

See also

security set IDS MaxICMP

Option

Description

Default Value

duration

The length of time (in seconds) that suspicious hosts are

blocked for once a DOS attack attempt has been detected.

1800

(30 minutes)

Option

Description

Default Value

max

The maximum number (per second) of ICMP packets that

are allowed before an ICMP Flood attempt is detected.

100

Rate

Popular Allied-Telesis Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share