558CHAPTER 39: CONFIGURING FIREWALL

Table 627 Configure Rules for Applying Access Control List on Interface

Operation

Command

 

 

Specify rule for filtering receive/send

firewall packet-filter acl-number[

messages on interface

inbound outbound ]]

 

 

Cancel rule for filtering receive/send

undo firewall packet-filter

messages on interface

acl-number[ inbound outbound ]]

 

 

By default no rule for filtering messages on interface is specified.

In one direction of an interface (inbound or outbound), up to 20 access rules can be applied. That is to say, 20 rules can be applied in firewall packet-filter inbound, and 20 rules can be applied in firewall packet-filter outbound.

If two rules with different sequence numbers conflict, then the number with greater acl-numbershould be matched preferentially.

Specifying Logging Host Firewall supports a logging function. When an access rule is matched, and if the user has specified to generate logging for this rule, logs can be sent to and recorded and saved by the logging host.

Perform the following configurations in system view.

Table 628 Specify Logging Host

Operation

Command

 

 

 

Specify logging host

ip host

unix-hostname ip-address

 

 

 

Cancel logging host

undo ip

host

 

 

 

For detailed description logging host parameters, see “Logging Function” in “System Management”.

Displaying and Debugging Firewall

Use debugging, reset and display commands in all views.

Table 629 Display and Debug Firewall

Operation

Command

 

 

Display firewall status

display firewall

 

 

Display packet filtering rule and its

display acl [ all acl-number

application on interface

interface type number ]

 

 

Display current timerange

display timerange

 

 

Display whether the current time is within

display isintr

special timerange

 

 

 

Clear access rule counters

reset acl counters [ acl-number]

 

 

Enable the information debugging of

debugging filter { all icmp tcp

firewall packet filtering

udp}

 

 

Firewall Configuration The following is a sample firewall configuration in an enterprise.

Example

This enterprise accesses the Internet through interface Serial 0 of one 3Com router, and the enterprise provides www, FTP and Telnet services to the outside. The internal sub-network of the enterprise is 129.38.1.0, the internal ftp server address 129.38.1.1, internal Telnet server address 129.38.1.2, and the internal

Page 562
Image 562
3Com 10014299 manual Displaying and Debugging Firewall, Use debugging, reset and display commands in all views