Enterasys Networks X-PeditionTM manual Firewall CLI Commands

Firewall CLI Commands

–Non-Unicast packet handling - Packets with broadcast or multicast destination addresses are not allowed to pass in either direction - they must be allowed explicitly.

–This rule makes it easy to deny access to IP broadcast/multicast packets through the firewall but to allow access, you must issue the ip firewall ip-broadcastor ip firewall ip-multicastcommands as well as set policy.

–IP Packets with options - Packets with options are dropped either way by default. You must permit options explicitly either way.

•Naming conventions - Any firewall object name must use these alpha-numeric characters only: A - Z (upper or lower case), 0 - 9, - (dash), or _ (underscore). Also, all firewall object names are case-sensitive.

•TCP/UDP/ICMP Filter - Filters TCP, UDP, or ICMP packets and assigns an idle session timeout

for their inspection with ip firewall tcp, ip firewall udp, and ip firewall icmp.

•Non-TCP/UDP Filter - Defines packet filtering of non-TCP and UDP protocols with ip firewall filter. Because these packets are dropped by default, to allow any other IP protocol packet to pass through the firewall you must specify a filter object with the correct source/destination IP address and IP protocol ID.

•Java and ActiveX - Allows HTML pages with Java and ActiveX content through the firewall with the ip firewall java and ip firewall activex commands. Options include allowing from all or selected IP addresses, or denying from any IP address.

•System Filter - Specifies Interface mode filtering with the ip firewall ip-options(for loose or strict routing through the Internet, trace routes or record time stamps), ip-broadcast(for DHCP, e.g.), and ip-multicast(for routing) commands.

•Enable/Disable - Turns firewall on or off with ip firewall {enable disable}. The firewall is set per interface or globally and is disabled on all interfaces, by default. If the firewall is globally disabled, a local enable is ignored and if globally enabled, all interfaces are “on” unless you explicitly disable each port. Enable displays in running-config, but not disable.

•Load - Installs the completed firewall configuration in the XSR’s inspection engine with ip firewall load. This command avoids conflicts with existing sessions by clearing them. But, before doing so you can perform a trial load to verify settings or configure incrementally and check for errors between loads. You can view modified settings before loading with show ip firewall config. Also, the delay load option schedules a load and show ip firewall general displays an outstanding delay and when it will run. Be aware that you must copy the running-configto startup-configfile to save any changes. Commands entered at the CLI are not in the configuration until the load command is invoked, so if you omit a load and save the running- to startup-configfile, the commands you entered will not display. Several other show commands display various objects that are in effect, that is, those that have been loaded (refer to the following bullet).

Caution: Performing a load requires that you re-establish all TCP connections including Telnet sessions and PKI links to the Certificate Authority. Also, firewall configuration changes are blocked during a load delay.

•Display Commands - A host of firewall show commands are available to display firewall attributes for each firewall configuration command. Also, show ip firewall config displays the as yet un-committed configuration, show ip firewall sessions displays dynamic TCP, UDP and ICMP session data, and show ip firewall general displays summary system firewall statistics such as the status of the firewall, protected and unprotected interfaces, sessions counters, and number of DoS attacks.

16-20 Configuring Security on the XSR