16

Release Note

additional rules can be added to allow or deny access based on IP addresses, port numbers, day of the week, or time of day. Each rule for a specific interface in a policy is processed in order, starting with the lowest numbered rule and proceeding to the highest numbered rule, or until a match is found.

These rules, created with the ADD FIREWALL POLICY RULE command, are based on IP address, port, protocol, date and time. In addition, the processing of ICMP packets, IP packets with options set and ping packets can be enabled or disabled on a per-policy basis using the ENABLE FIREWALL POLICY command and the DISABLE FIREWALL POLICY command.

The ACTION parameter specifies what the firewall should do with traffic that matches the selectors defined for this rule. If ALLOW is specified, the traffic will be permitted to pass through the firewall. If DENY is specified, the traffic will be prevented from passing through the firewall. If NONAT is specified, any traffic that matches the rule will not have a NAT translation performed on it, should a NAT relationship exist for the interfaces involved. If NAT is specified, the NATTYPE parameter should be used to specify whether the NAT rule performs DOUBLE, ENHANCED, REVERSE or STANDARD NAT translation. The values NONAT and NAT implicitly allow traffic through the firewall.

A rule specified with ACTION=NAT takes precedence over NAT relationships specified by the ADD FIREWALL POLICY NAT command.

A rule specified with ACTION=NAT implicitly allows traffic that matches the rule. Care should be taken when defining the rule so only the desired traffic will be permitted through the firewall.

The GBLIP parameter specifies a single IP address that is matched to the destination address of packets received on a public interface. The GBLIP parameter also specifies the global IP address to be used as the public IP address for private side devices if NAT is active on the interface, or if the value specified for the ACTION parameter is NAT.

The GBLPORT parameter specifies the port number, service name, or range of port numbers that apply to the rule if NAT is active on an interface.

The application of the GBLREMOTEIP parameter changes depending on the type of interface it is applied to. If the INTERFACE parameter specifies a public interface, it specifies a single IP address that is matched to the source IP address of packets received on that interface. If the INTERFACE parameter specifies a private interface, the GBLREMOTEIP parameter will be substituted as the destination address for packets received on the interface. This parameter should only be specified when the ACTION parameter is NAT and the NATTYPE is REVERSE or DOUBLE.

The IP parameter specifies a single IP address or a range of IP addresses that match the source address of packets received on a private interface. The IP parameter also specifies the IP address to be used as the private IP address for private side devices if NAT is active on the interface, or if the value specified for the ACTION parameter is NAT.

The NATTYPE parameter may only be used when the value specified by the

ACTION parameter is NAT. It specifies whether the NAT rule performs

DOUBLE, ENHANCED, REVERSE or STANDARD NAT. DOUBLE NAT

Software Release 2.3.1 C613-10325-00 REV B

Page 16
Image 16
Allied Telesis AT-AR300 manual Release Note