Security Configuration Command Set
Configuring Access Lists
14-166 Matrix NSA Series Configuration Guide
destination Specifies the network or host to which the packet will be
sent. Valid options for expressing destination are:
•IP address (A.B.C.D)
•any - Any destination host
•host source - IP address of a single destination host
destination-
wildcard (Optional) Specifies the bits to ignore in the destination
address.
icmp-type (Optional) Filters ICMP frames by ICMP message type. The
type is a number from 0 to 255.
icmp-code (Optional) Further filters ICMP frames filtered by ICMP
message type by their ICMP message code. The code is a
number from 0 to 255.
operator port (Optional) Applies access rules to TCP or UDP source or
destination port numbers. Possible operands include:
•lt port - Match only packets with a lower port number.
•gt port - Match only packets with a greater port number.
•eq port - Match only packets on a given port number.
•neq port - Match only packets not on a given port
number.
•range min-sport max-sport - Match only packets in the
range of source ports
•range min-dport max-dport - Match only packets in the
range of destination ports.
tos-extensions (Optional) Applies access rules to the precedence and/or tos
fields, or to the DiffServ field. That is, you can specify one
or both precedence and tos fields, or you can specify the
DiffServ field. Use the followi ng keywo r d/valu e pairs to
specify the tos-extensions:
•precedence value (0-7) - Match packets based on the IP
precedence value.
•tos value (0-15) - Match packets based on the IP Type of
Service value.
•dscp value (0-63) - Match packets based on the Diffserv
codepoint value.
established (Optional) Applies TCP restrictions to established
connections onl y.